Privacy Threshold Analysis (PTA)

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 1 of 8

PRIVACY THRESHOLD ANALYSIS (PTA)
This form is used to determine whether
a Privacy Impact Assessment is required.

Please use the attached form to determine whether a Privacy Impact Assessment (PIA) is required under
the E-Government Act of 2002 and the Homeland Security Act of 2002.
Please complete this form and send it to your component Privacy Office. If you do not have a component
Privacy Office, please send the PTA to the DHS Privacy Office:
Senior Director, Privacy Compliance
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
Tel: 202-343-1717
[email protected]

Upon receipt from your component Privacy Office, the DHS Privacy Office will review this form. If a
PIA is required, the DHS Privacy Office will send you a copy of the Official Privacy Impact Assessment
Guide and accompanying Template to complete and return.
A copy of the Guide and Template is available on the DHS Privacy Office website,
www.dhs.gov/privacy, on DHSConnect and directly from the DHS Privacy Office via email:
[email protected], phone: 202-343-1717.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 2 of 8

PRIVACY THRESHOLD ANALYSIS (PTA)
SUMMARY INFORMATION
Project or
Program Name:
Component:

Non Disaster (ND) Grants System
Federal Emergency
Management Agency (FEMA)

Office or
Program:

Grant Programs Directorate
(GPD)

Xacta FISMA
Name (if
applicable):

Non Disaster Grants

Xacta FISMA
Number (if
applicable):

FEM – 03647 MAJ - 03647

Type of Project or
Program:

IT System

Project or
program
status:

Operational

Date first
developed:
Date of last PTA
update

August 8, 2008

Pilot launch
date:

April 4, 2011

May 17, 2012

Pilot end date:

April 4, 2011

ATO Status (if
applicable)

Complete

ATO
expiration date
(if applicable):

July 09, 2015

PROJECT OR PROGRAM MANAGER
Name:

Charles Seong

Office:

Systems and Business Support
Branch / Program Support
Division / Grant Programs
Directorate

Title:

Program Manager

Phone:

202-786-9539

Email:

[email protected]

INFORMATION SYSTEM SECURITY OFFICER (ISSO) (IF APPLICABLE)
Name:

David H. Thurman

Phone:

202-786-9606

Email:

[email protected]
s.fema.gov

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 3 of 8

SPECIFIC PTA QUESTIONS
1. Reason for submitting the PTA: Renewal PTA
The Non-Disaster Grant Management System (ND Grants) is a web-based system intended to
provide the Federal Emergency Management Agency (FEMA) and its stakeholders with a
system that supports the grants management lifecycle.
ND Grants includes:
• Administrative Organization Modules
• Application Submission
• Grants.gov Interface
• Award Package Creation and Review
External Organization Management and Task Assignment Services
ND Grants has interfaces to both FEMA and non-FEMA systems. The interfaces include the FEMA
Service Oriented Architecture Generic Support System (SOA GSS) which provides business process
(BPM) and business rule management (BRM) as a service to the ND Grants application, the FEMA
Generic Financial Interface (GFI) which provides an intermediary to the Integrated Financial
Management Information System (IFMIS) FEMAs core accounting system, FEMAs Integrated Security
Authentication and Access Control system (ISAAC) which provides user authentication and role
management as a service to the ND Grants Application, and The Department of Health and Human
Services (HHS)’s Grants.gov web application which provides Funding Opportunity advertisement and
application services. PII information flows from Grants.gov to ND Grants, and the remaining required
data elements are updated by grantees in ND Grants.
This iteration of ND Grants, ND Grants 3.0, utilizes two middleware products: Business Process Manager
(BPM) and Operational Decision Manager (ODM), which replace the need for custom code within the
application for workflow and business rules, respectively. Both BPM and ODM are hosted on FEMA’s
Service Oriented Architecture (SOA).

2. Does this system employ any of the
following technologies:
If you are using any of these technologies and
want coverage under the respective PIA for that
technology please stop here and contact the DHS
Privacy Office for further guidance.

Closed Circuit Television (CCTV)
Social Media
Web portal 1 (e.g., SharePoint)
Contact Lists
None of these

1

Informational and collaboration-based portals in operation at DHS and its components that collect, use, maintain, and share
limited personally identifiable information (PII) about individuals who are “members” of the portal or “potential members” who
seek to gain access to the portal.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 4 of 8

3. From whom does the Project or
Program collect, maintain, use, or
disseminate information?
Please check all that apply.

This program does not collect any personally
identifiable information 2
Members of the public
DHS employees/contractors (list components):
Contractors working on behalf of DHS
Employees of other federal agencies

4. What specific information about individuals is collected, generated or retained?
Information is collected from States, Local Government agencies, Port Authorities, Transit Authorities, Non‐profit
organizations and private companies to determine activity eligibility for funding under FEMA grant programs. This
information includes basic public information about the agency or organization, including the name of the point of
contact for the application, work address, work phone and fax numbers, cell phone number and work email address.
Information for grant processing also includes the organizations’ financial information such as bank account
numbers and routing numbers as well as information about the activity or activities proposed to be completed under
the requested grant.
•
•
•
•
•
•
•

Name of Organization’s Designated Point of Contact (POC);
POC Title;
POC's office mailing address;
POC's office phone number;
POC's office cellphone number;
POC's office fax number;
POC's work e-mail address;

•

Organization Name;

4(a) Does the project, program, or system
retrieve information by personal identifier?
4(b) Does the project, program, or system
use Social Security Numbers (SSN)?
4(c) If yes, please provide the specific legal
basis and purpose for the collection of
SSNs:
2

No. Please continue to next question.
Yes. If yes, please list all personal identifiers
used:
No.
Yes.
NA

DHS defines personal information as “Personally Identifiable Information” or PII, which is any information that permits the
identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual,
regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to
the Department. “Sensitive PII” is PII, which if lost, compromised, or disclosed without authorization, could result in substantial
harm, embarrassment, inconvenience, or unfairness to an individual. For the purposes of this PTA, SPII and PII are treated the
same.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 5 of 8

4(d) If yes, please describe the uses of the
SSNs within the project, program, or
system:
4(e) If this project, program, or system is
an information technology/system, does it
relate solely to infrastructure?

NA

No. Please continue to next question.
Yes. If a log kept of communication traffic,
please answer the following question.

For example, is the system a Local Area Network
(LAN) or Wide Area Network (WAN)?
4(f) If header or payload data 3 is stored in the communication traffic log, please detail the data
elements stored.
NA

5. Does this project, program, or system
connect, receive, or share PII with any
other DHS programs or systems 4?

No.
Yes. If yes, please list:
Click here to enter text.

6. Does this project, program, or system
connect, receive, or share PII with any
external (non-DHS) partners or
systems?
6(a) Is this external sharing pursuant to
new or existing information sharing
access agreement (MOU, MOA, LOI,
etc.)?

3

No.
Yes. If yes, please list: HHS’s Grants.gov

Yes, MOU with HHS is through DHS.

7. Does the project, program, or system
provide role-based training for
personnel who have access in addition
to annual privacy training required of
all DHS personnel?

No.

8. Per NIST SP 800-53 Rev. 4, Appendix

No. What steps will be taken to develop and

Yes. If yes, please list:

When data is sent over the Internet, each unit transmitted includes both header information and the actual data being sent. The
header identifies the source and destination of the packet, while the actual data is referred to as the payload. Because header
information, or overhead data, is only used in the transmission process, it is stripped from the packet when it reaches its
destination. Therefore, the payload is the only data received by the destination system.
4
PII may be shared, received, or connected to other DHS systems directly, automatically, or by manual processes. Often, these
systems are listed as “interconnected systems” in Xacta.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 6 of 8

J, does the project, program, or system
maintain an accounting of disclosures
of PII to individuals who have
requested access to their PII?
9. Is there a FIPS 199 determination? 4

maintain the accounting:
Yes. In what format is the accounting
maintained:
Unknown.
No.
Yes. Please indicate the determinations for each
of the following:
Confidentiality:
Low

Moderate

High

Undefined

Moderate

High

Undefined

High

Undefined

Integrity:
Low

Availability:
Low

Moderate

PRIVACY THRESHOLD REVIEW
(TO BE COMPLETED BY COMPONENT PRIVACY OFFICE)
Component Privacy Office Reviewer:

Lane Raffray

Date submitted to Component Privacy
Office:

February 25, 2015

Date submitted to DHS Privacy Office:

March 11, 2015

Component Privacy Office Recommendation:
Please include recommendation below, including what new privacy compliance documentation is needed.
PIA: DHS/FEMA/PIA-013 Grant Management Programs
SORN: DHS/FEMA-004 Non-Disaster Grant Management Information Files (March 13, 2015; 80 FR
13404).
(TO BE COMPLETED BY THE DHS PRIVACY OFFICE)

4

FIPS 199 is the Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal
Information and Information Systems and is used to establish security categories of information systems.

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 7 of 8

DHS Privacy Office Reviewer:

Eric M. Leckey

PCTS Workflow Number:

1070736

Date approved by DHS Privacy Office:

March 18, 2015

PTA Expiration Date

March 18, 2018
DESIGNATION

Privacy Sensitive System:
Category of System:
Determination:

Yes

If “no” PTA adjudication is complete.

IT System
If “other” is selected, please describe: Click here to enter text.
PTA sufficient at this time.
Privacy compliance documentation determination in progress.
New information sharing arrangement is required.
DHS Policy for Computer-Readable Extracts Containing Sensitive PII
applies.
Privacy Act Statement required.
Privacy Impact Assessment (PIA) required.
System of Records Notice (SORN) required.
Paperwork Reduction Act (PRA) Clearance may be required. Contact
your component PRA Officer.
A Records Schedule may be required. Contact your component Records
Officer.

PIA:

System Covered by an Existing PIA
If covered by existing PIA, please list: DHS/FEMA/PIA-013 Grant Management Programs
System Covered by an Existing SORN

SORN:

If covered by existing SORN, please list: DHS/FEMA-004 Non-Disaster Grant
Management Information Files (March 13, 2015; 80 FR 13404).
DHS Privacy Office Comments:
Please describe rationale for privacy compliance determination above.
FEMA’s Non-Disaster Grant Management System (ND Grants) is a web-based system that provides the
agency and its stakeholders with a system that supports the grants management lifecycle. ND Grants is a
privacy sensitive system because it collects PII from members of the public in the form of contact type
information collected from points of contacts for non-disaster grants.
ND Grants is covered by the DHS/FEMA/PIA-013 Grant Management Programs PIA and is listed in its
Appendix A as a covered system. The recently re-published DHS/FEMA-004 Non-Disaster Grant

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version number: 01-2014
Page 8 of 8

Management Information Files (March 13, 2015; 80 FR 13404) covers the records maintained in ND
Grants. No further action is required for this system at this time.