Skip to main content

Public Website Shared Services

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

Date signed: 7/7/2023

PIA Information for Public Website Shared Services
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-7815316-788151
Name:Public Website Shared Services
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?Yes
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization6/30/2023
Indicate the following reason(s) for updating this PIA. Choose from the following options.
  • PIA Validation (PIA Refresh/Annual Review)
  • Other - New service being added to PWSS
Describe in further detail any changes to the system that have occurred since the last PIA.Addition of Web Address Redirection Platform (WARP) application to the PWSS Boundary.
Describe the purpose of the system

The purpose of the PWSS system is to provide CMS with a single and unified Application Programming Interface (API) management and registration system. This system contains APIs that are available for other systems to leverage internally and externally. PWSS will provide CMS and other agencies greater flexibility in delivering new services and products that support their goals and missions. The components of the system include:

Kong Enterprise Edition - API management system
GEO API – Geographic location services
Developer Portal API - allows teams to automate API key generation.
SmartyStreets – provides correlation of latitude/longitude coordinates to street addresses for address verification service.
Mapbox- An API that provides map assets.
Akamai DNS Proxy – implements fine-grained authorization rules for teams to use Akamai’s Fast DNS API, e.g., so that teams can use Let’s Encrypt in Continuous Integration (CI)/Continuous Development (CD) processes.
developer.cms.gov - a marketing site for 3rd party developers to direct them to CMS open data, code, and APIs. 
Cloudbees CI Core – An enterprise continuous integration and deployment system which utilizes AWS EKS as a containerization platform.
Tableau - A shared service used for data visualization and reporting.
TestRail – A test case and test management software tool.
JFrog Artifactory - A binary repository management tool.
jFrog Xray - A universal binary analysis product that works with JFrog Artifactory to analyze software components and reveal a variety of issues at any stage of the software application lifecycle.
Grafana - aggregates performance test data and provides analysis and reporting capabilities.
Prometheus - a Cloudbees CI Core Plug-in that will allow Grafana to view system performance data from an internal network connection only.
Secrets Scanner - a utility that is a GitHub repository scanning tool intended as an addition to the software coding pipeline for all CMS OC systems.
PDF Generator - Provides a form-filling capability that helps contribute to the agency's section 508 compliance.
JMaaS - JMaaS is a combination of services and tools to provide ADOs the ability to perform Performance testing against public websites.
Structurizr - Structurizr is a collection of tools for creating diagrams and documentation from text and/or code.
Web Address Redirection Platform (WARP) - This solution creates a transparent redirect from healhcare.gov to www.healthcare.gov, allowing internal users to access the site without manually adding the "www" prefix.

 

Services consumed by PWSS subsystems (outside of PWSS boundary):

Let’s Encrypt - Let’s Encrypt (https://letsencrypt.org) is a free, automated, and open certificate authority by the non-profit Internet Security Research Group (ISRG).
AWS Certificate Manager - a paid service offered through Amazon Web Services to request and renew certificates on AWS resources. It is used in place of Let’s Encrypt for Kong, GEO API, SmartyStreets, and Mapbox.
Elastic Container Service (ECS) Cluster - EC2 instances that are installed with the ECS agent and communicate with the AWS ECS service. 
LaunchDarkly Federal SaaS is a FedRAMP accredited Cloud Service Provider (CSP) for managing feature flags across environments.

 

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

PWSS is an information technology (IT) service that contains and shares geographical information like zip codes, and longitude and latitude for location lookups. It also contains 'open source' IT code for the developers of other CMS applications and systems to use.

PWSS collects in CMS OC Jira the following information for system administration/access: user information (full name, user ID, organization, email address, mobile phone number), and CMS approver's information (name and user ID). 

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The PWSS system provides CMS with a suite of tools for managing APIs (Kong Enterprise Edition, Marketplace and Address), API resources for geographic data (GEO API, SmartyStreets, Mapbox) and utilities for managing other applications (CloudBees CI Core with Prometheus, Secrets Scanner, Tableau, Testrail,  Grafana, JFrog Artifactory/Xray, Developer Portal, Structurizr, Akamai DNS Proxy, PDF Generator, JMaaS, and Container Scanner).

PWSS Information that is collected, stored and processed is as follows:

GeoAPI, SmartyStreets, and Mapbox permanently stores public geographical information like zip codes, street address, longitude and latitude, and map tiles for location services. This data is provided by third parties and shared publicly for use by other applications.

Kong administrators permanently collect  user information (full name, user ID, organization, email address, mobile phone number) and CMS approver's information (name, email address, and mobile phone number) in CMS JIRA, to distribute Kong API keys

Container Scanner permanently stores information about known vulnerabilities encrypted in RDS.

Akamai DNS Proxy uses encrypted RDS to store authorized user settings and authorized tokens. 

CloudBees CI Core permanently stores  'open source' IT code for the developers of other CMS applications and systems to use.

Tableau, Grafana, Secrets Scanner, Structurizr, JMaaS, and TestRail require user ID and password for login access. 

JFrog Artifactory requires user ID and password for login access. JFrog Xray is accessible through Artifactory.

The PDF Generator uses PII and PHI temporarily for creating PDF documents. This utility program does not store any of this information.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Phone Numbers
  • Other - Organization Name, User Credentials (user ID and password), CMS approver information, business partner member information including name, organization, email address, and mobile phone number, user attributes
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Business Partners/Contacts (Federal, state, local agencies)
  • Vendors/Suppliers/Contractors
How many individuals' PII in the system?100-499
For what primary purpose is the PII used?PII is collected and used to validate an individual's identity and access to some PWSS subsystems. PII is also collected to distribute API keys issued to organizations securely and to access interactive API documentation using API keys. User PII and PHI is temporarily displayed  for creating PDF documents. The PDF Generator utility program does not store any of this information.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)There is no secondary use of PII for this system.
Describe the function of the SSN.Not Applicable for PWSS
Cite the legal authority to use the SSN.Not Applicable for PWSS
Identify legal authorities​ governing information use and disclosure specific to the system and program.5 USC Section 301, Departmental Regulations
Are records on the system retrieved by one or more PII data elements?No
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • In-Person
  • Online
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
  • State/Local/Tribal
Identify the sources of PII in the system: Non-Government Sources
  • Private Sector
Identify the OMB information collection approval number and expiration dateNot Applicable
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.The MiniOrange Single Sign-On Identity Provider (IdP) login screen has a warning and privacy notice that describes the collection of PII when a user registers for access to PWSS in Jira.
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.There is no option for users to opt-out of PII information collection since it is necessary for users to register to access some PWSS subsystems, to generate PDFs or to acquire API keys for certain services.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.System administrators inform the applicant prior to the enrollment process about how they can be notified about any changes to the way their PII data is used or stored. They can contact the PWSS application administrator if they have any questions about how their data is used/stored.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.PWSS users can contact the PWSS application administrator email account if they believe their PII has been inappropriately used or disclosed or is inaccurate. They can also contact the CMS IT Help Desk for assistance.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.Manual reviews of the user registration list are conducted at least annually to determine if the PII is accurate, whether the user is still active in the system and whether a user is still able to use and access the system. A continuous monitoring program is in place to ensure system integrity and availability. The PWSS is designed with system logic checks to ensure data accuracy and integrity.
Identify who will have access to the PII in the system and the reason why they require access.
  • Administrators: Administrators will have access to PII to perform their job as administrators of the applications, to add, edit and delete users.  Additionally, the applications may also collect PII and PHI as data fields are introduced to users in the applications themselves.  Administrators may need to access application data to investigate incidents or to troubleshoot the applications.
  • Developers: PWSS developers may access PII to assist with troubleshooting or to distribute API keys.
  • Contractors: PWSS Application or API administrators may be direct contractors and would have access to PII to perform the functions of those roles.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.Administrators of PWSS must have a valid CMS ID, submit a request form, and have been approved through their CMS Contracting Officer's Representative (COR) and manager. After receiving approval by the COR, the administrator must then request access for specific PWSS API access. They are given access based on the principle of least privilege.
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.Administrator access to PWSS is restricted to CMS-approved system administrators. Administrators can only access the system using multi-factor authentication and have been granted administrative roles. Access to PII is limited by role-based permissions. Inactive accounts are reviewed and deleted after a set time period. 
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.Both CMS employees and contractor staff who access or operate CMS systems are required to complete the annual CMS Security Awareness training provided annually as Computer-Based Training (CBT) course. This course specifically addresses what PII is and specifies privacy laws and regulations that apply to safeguarding PII. Contractors also complete their annual corporate security training, and must sign the HHS Rules of Behavior (ROB).  LaunchDarkly users must consent to an online, displayed ROB agreement to obtain access to the system. 
Describe training system users receive (above and beyond general security and privacy awareness training)

There is no specific user training in addition to the general security and privacy awareness training. LaunchDarkly users must consent to an application-specific Rules of Behavior (ROB) agreement before obtaining access to the system.

 

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.PWSS follows the CMS Records Schedule that was published October 2017 and the National Archives and Records Administration General Records Schedule (GRS) 20 and 24. Specifically, for user credentials that are securely stored in the PWSS database, per National Archives Records Association (NARA), General Records Schedule (GRS) 20 states that PWSS will destroy/delete when 7 years 6 months, 10 years 6 months, or 20 years 6 months old, based on the maximum level of operation of the Certification Authority, or when no longer needed for business, whichever is later; and GRS 24 states that PWSS will delete/destroy when agency determines they are no longer needed for administrative, legal, audit or other operational purposes.
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The administrative controls in place to secure the PII include access control - request and authentication to PWSS is limited to specific users. There is also periodic review of users and deletion of inactive accounts and role-based access for administrators.

The technical controls in place are firewalls that prevent unauthorized access, encrypted access when users obtain the approval to log into the application; all communication is encrypted, antivirus and intrusion prevention systems (IPS) are in place and monthly vulnerability scans and penetration testing are conducted on the system.

The physical controls in place are as follows: the PWSS is hosted in a CMS Virtual data center. The data center has exterior security controls- use of security cards and pass codes and security guards. The PWSS maintenance/administrative users' access by using security tokens and user credentials to access the server equipment.

 

Identify the publicly-available URL: https://developer.cms.gov
Does the website have a posted privacy notice?Yes
Is the privacy policy available in a machine-readable format?Yes
Does the website use web measurement and customization technology?No
Does the website have any information or pages directed at children under the age of thirteen?No
Does the website contain links to non-federal government website external to HHS?Yes
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?Yes