Download:
pdf |
pdfPIA Assessment
1. OPDIV
NIH
2. PIA Unique Identifier
P-3643799-198981
2a. Name
NCI Local Network
3. The subject of this PIA is
which of the following?
General Support System
3a. Identify the Enterprise
Performance Lifecycle Phase Operational
of the system.
3b. Is this a FISMAReportable system?
Yes
4. Does the system include a
Website or online application
No
available to and for the use
of the general public?
Accept / Reject Status
Accept
Question 4 Comment
5. Identify the operator.
Agency
6. Point of Contact (POC)
POC Title
System Owner
POC Name
Cliff Wong
POC Organization
NCI/OD/CBIIT
POC Email
[email protected]
POC Phone
240-276-5132
Accept / Reject Status
Accept
Question 6 Comment
7. Is this a new or existing
system?
Existing
8. Does the system have
Yes
Security Authorization (SA)?
�Accept / Reject Status
Accept
Question 8 Comment
8a. Date of Security
Authorization
08/31/2017
9. Indicate the following
reason(s) for updating this
PIA. Choose from the
following options.
PIA Validation (PIA Refresh/Annual Review)
Other
This General Support System (GSS) is established by the National
Cancer Institute (NCI), Office of the Director (OD), Center for
Biomedical Informatics and Information Technology (CBIIT). The
NCI Local Network (LAN) General Support System (GSS) is
aligned as a Tier 1 GSS to fulfill the purpose mandated by the NIH
IT System Realignment; streamline reporting for the Federal
Information Security Modernization Act (FISMA) 2014 and
facilitate efficiency. This Tier 1 General Support System (GSS) does
not itself have a website or online application; however, the NCI
LAN GSS contains significant subcomponents (subsystems) which
are essential to achieving the mission of the National Cancer
Institute (NCI). These Tier 2, 3, and 4 subsystems have unique and
specific Privacy Impact Assessments (PIAs); which may address
website(s); online applications; Personally Identifiable Information
(PII); applicability to Privacy Act System of Records Notice
(SORN) and the Paperwork Reduction Act (PRA) Information
Collection Request.
Accept / Reject Status
Accept
Question 9 Comment
�Due to the scope of the NCI LAN GSS, it is not usable to list all
changes to the system within the format of this Privacy Impact
Assessment (PIA). However, all changes to the NCI Local Network
(LAN) GSS are managed within an established baseline system
configuration which adheres to federal standards and settings
10. Describe in further detail including configuration guidelines for desktops, firewalls, software,
any changes to the system
operating systems, environment, and other IT devices. NCI currently
that have occurred since the uses multiple repositories (e.g., JIRA, Collaborate) to maintain
last PIA.
Configuration Management artifacts and Collaborate to dynamically
generate and display real-time server information using SQL from
data. NCI uses a private implementation of ServiceNow to manage
all configuration change requests. The complete inventory of all
LAN systems, devices, and assets is maintained in various formats,
depending on the nature of the asset.
Accept / Reject Status
Question 10 Comment
Accept
�11. Describe the purpose of
the system.
Due to the scope and purpose of this General Support System, the
NIH Senior Official for Privacy requests that the final Privacy
Impact Assessment be withheld from publication on an external
website. The purpose of the National Cancer Institute's (NCI) Local
Network (LAN) General Support System (GSS) is to provide
infrastructure, network services, and application hosting to support a
variety of cancer related research, education, and biomedical
initiatives. It is used to provide access and connectivity to NCI
computing devices and storage resources. Included within the NCI
LAN GSS authorization boundary are NCI Center for Biomedical
Informatics and Information Technology (CBIIT) supported servers,
end-user computers, network devices, and print services.
The National Cancer Institute (NCI) leads the National Cancer
Program and the National Institutes of Health (NIH), U.S.
Department of Health and Human Services (HHS) efforts to
dramatically reduce the prevalence of cancer and improve the lives
of cancer patients and their families, through research into
prevention and cancer biology, the development of new
interventions, and the training and mentoring of new researchers.
NCI Local Network (LAN) General Support System (GSS) has the
following subcomponents:
CBIIT Portfolio Manager System
Cancer Genome Anatomy Project
Cooperative Research and Development Agreements
DCEG Intramural
DCP Enterprise System Knowledgebase
Document Generation System
Early Detection Research Network
Electronic Telework System
Health Communications Internship Program
Introduction to Cancer Research Careers
Labmatrix (NCI)
Molecular Analysis for Therapy Choice (MATCH) application
NCI At Your Service
NCI Cancer Central Clinical Database
NCI Cloud Services
NCI DCTD M-PACT Tumor Sequencing Database Management
System (Genemed)
NCI Enterprise Security Program
NCI IMPAC II Extensions
NCI Mobile and Web Applications
NCI National Biomedical Imaging Archive
NCI OSFM Computer Aided Facility Management System
NCI Portfolio Management Application
NCI Public Websites
NCI SharePoint
NCI Unified Communications
OCPL Websites of Information for Public External
Office of Acquisition System E-Contracts
�Accept / Reject Status
Question 11 Comment
Accept
�As a Tier 1 General Support System (GSS), NCI Local Network
(LAN) does not itself collect, maintain (store) or share information.
However, the NCI LAN GSS contains significant subcomponents
(subsystems) which are essential to achieving the mission of the
National Cancer Institute (NCI). These Tier 2, 3, and 4 subsystems
have unique and specific Privacy Impact Assessments (PIAs) which
address the type of information the specific system will collect,
maintain, store, and share. NCI Local Network (LAN) General
Support System (GSS) has the following subcomponents:
CBIIT Portfolio Manager System
Cancer Genome Anatomy Project
Cooperative Research and Development Agreements
DCEG Intramural
DCP Enterprise System Knowledgebase
Document Generation System
Early Detection Research Network
Electronic Telework System
Health Communications Internship Program
Introduction to Cancer Research Careers
Labmatrix (NCI)
Molecular Analysis for Therapy Choice (MATCH) application
NCI At Your Service
12. Describe the type of
NCI Cancer Central Clinical Database
information the system will NCI Cloud Services
collect, maintain (store), or NCI DCTD M-PACT Tumor Sequencing Database Management
share. (Subsequent questions System (Genemed)
will identify if this
NCI Enterprise Security Program
information is PII and ask
NCI IMPAC II Extensions
about the specific data
NCI Mobile and Web Applications
elements.)
NCI National Biomedical Imaging Archive
NCI OSFM Computer Aided Facility Management System
NCI Portfolio Management Application
NCI Public Websites
NCI SharePoint
NCI Unified Communications
OCPL Websites of Information for Public External
Office of Acquisition System E-Contracts
PRO-CTCAE
Secure Physical Access Control and Environmental Systems
Smokefree.gov Website(s) and Mobile Apps
TTC Technology Information Management System
e-Grants, web-Grants
Users log in to the various supported applications/systems on this
GSS using NIH Active Directory, which maintains its own unique
privacy impact assessment (PIA). The purpose of NIH Active
Directory is to authenticate and authorize all users and computers in
a Windows domain type network; assigning and enforcing
information security policies for all computers and installing or
updating software. NIH Active Directory collects unique user names
�Accept / Reject Status
Accept
Question 12 Comment
13. Provide an overview of
the system and describe the
information it will collect,
maintain (store), or share,
either permanently or
temporarily.
The National Cancer Institute's (NCI) Local Network (LAN)
General Support System (GSS) provides infrastructure, network
services, and application hosting to support a variety of cancer
related research, education, and biomedical initiatives. It is used to
provide access and connectivity to NCI computing devices and
storage resources. The NCI LAN GSS provides a range of
supporting and shared services that enable NCI stakeholders to
operate applications, manage directory services, manage software
development services, maintain knowledge platforms and enable
common communications tools (i.e. unified communications,
WebEx), security operations and monitoring services, but does not
directly own the data stored, collected or processed by these
applications. Included within the NCI LAN GSS authorization
boundary are NCI Center for Biomedical Informatics and
Information Technology (CBIIT) supported servers, end-user
computers, network devices, and print services.
Users log in to the various supported applications/systems on this
GSS using NIH Active Directory, which maintains its own unique
privacy impact assessment (PIA). The purpose of NIH Active
Directory is to authenticate and authorize all users and computers in
a Windows domain type network; assigning and enforcing
information security policies for all computers and installing or
updating software. NIH Active Directory collects unique user names
and passwords (user credentials) and stores them in an encrypted
format. NIH Active Directory is an essential service which
facilitates and governs network access to various resources.
Accept / Reject Status
Accept
Question 13 Comment
14. Does the system collect,
maintain, use or share PII?
No
Accept / Reject Status
Accept
�Question 14 Comment
As a Tier 1 General Support System (GSS), the NCI Local Network
(LAN) does not itself collect, maintain (store) or share information.
However, the NCI LAN GSS contains significant subcomponents
(subsystems) which are essential to achieving the mission of the
National Cancer Institute (NCI). These Tier 2, 3, and 4 subsystems
have unique and specific Privacy Impact Assessments (PIAs) which
address the type of information the specific system will collect,
maintain, store, and share, including personally identifiable
information (PII).
15. Indicate the type of PII
that the system will collect
or maintain.
Accept / Reject Status
Question 15 Comment
16. Indicate the categories of
individuals about whom PII
is collected, maintained or
shared.
Accept / Reject Status
Question 16 Comment
17. How many individuals'
PII is in the system?
10,000-49,999
Accept / Reject Status
Question 17 Comment
18. For what primary
purpose is the PII used?
No
�Accept / Reject Status
Question 18 Comment
19. Describe the secondary
uses for which the PII will
be used (e.g. testing, training
or research)
Accept / Reject Status
Question 19 Comment
20. Describe the function of
the SSN.
Accept / Reject Status
Question 20 Comment
20a. Cite the legal authority
to use the SSN.
21. Identify legal authorities
governing information use
and disclosure specific to the
system and program.
22. Are records on the
system retrieved by one or
more PII data elements?
No
Accept / Reject Status
Question 22 Comment
22a. Identify the number and title of the Privacy Act System of Records Notice (SORN) that is
being used to cover the system or identify if a SORN is being developed.
Published:
Published:
Published:
�In Progress
23. Identify the sources of
PII in the system.
Accept / Reject Status
Question 23 Comment
23a. Identify the OMB
information collection
approval number and
expiration date.
24. Is the PII shared with
other organizations?
Accept / Reject Status
Question 24 Comment
24a. Identify with whom the PII is shared or disclosed and for what purpose.
Within HHS
Other Federal Agency/
Agencies
State or Local Agency/
Agencies
Private Sector
�24b. Describe any
agreements in place that
authorizes the information
sharing or disclosure (e.g.
Computer Matching
Agreement, Memorandum of
Understanding (MOU), or
Information Sharing
Agreement (ISA)).
24c. Describe the procedures
for accounting for
disclosures.
25. Describe the process in
place to notify individuals
that their personal
information will be
collected. If no prior notice
is given, explain the reason.
Accept / Reject Status
Question 25 Comment
26. Is the submission of PII
by individuals voluntary or
mandatory?
Accept / Reject Status
Question 26 Comment
27. Describe the method for
individuals to opt-out of the
collection or use of their PII.
If there is no option to object
to the information collection,
provide a reason.
Accept / Reject Status
Question 27 Comment
�28. Describe the process to
notify and obtain consent
from the individuals whose
PII is in the system when
major changes occur to the
system (e.g., disclosure and/
or data uses have changed
since the notice at the time
of original collection).
Alternatively, describe why
they cannot be notified or
have their consent obtained.
Accept / Reject Status
Question 28 Comment
29. Describe the process in
place to resolve an
individual's concerns when
they believe their PII has
been inappropriately
obtained, used, or disclosed,
or that the PII is inaccurate.
If no process exists, explain
why not.
Accept / Reject Status
Question 29 Comment
30. Describe the process in
place for periodic reviews of
PII contained in the system
to ensure the data's integrity,
availability, accuracy and
relevancy. If no processes
are in place, explain why
not.
Accept / Reject Status
Question 30 Comment
31. Identify who will have access to the PII in the system and the reason why they require access.
�Users
Administrators
Developers
Contractors
Others
32. Describe the procedures
in place to determine which
system users (administrators,
developers, contractors, etc.)
may access PII.
Accept / Reject Status
Question 32 Comment
33. Describe the methods in
place to allow those with
access to PII to only access
the minimum amount of
information necessary to
perform their job.
Accept / Reject Status
Question 33 Comment
�34. Identify training and
awareness provided to
personnel (system owners,
managers, operators,
contractors and/or program
managers) using the system
to make them aware of their
responsibilities for
protecting the information
being collected and
maintained.
Accept / Reject Status
Question 34 Comment
35. Describe training system
users receive (above and
beyond general security and
privacy awareness training).
Accept / Reject Status
Question 35 Comment
36. Do contracts include
Federal Acquisition
Regulation and other
appropriate clauses ensuring
adherence to privacy
provisions and practices?
Accept / Reject Status
Question 36 Comment
37. Describe the process and
guidelines in place with
regard to the retention and
destruction of PII. Cite
specific records retention
schedules.
Accept / Reject Status
�Question 37 Comment
38. Describe, briefly but with
specificity, how the PII will
be secured in the system
No Pii
using administrative,
technical, and physical
controls.
Accept / Reject Status
Question 38 Comment
39. Identify the publiclyavailable URL.
Accept / Reject Status
Question 39 Comment
40. Does the website have a
posted privacy notice?
Accept / Reject Status
Question 40 Comment
40a. Is the privacy policy
available in a machinereadable format?
41. Does the website use
web measurement and
customization technology?
Accept / Reject Status
Question 41 Comment
�41a. Select the type of website measurement and customization technologies is in use and if it is
used to collect PII. (Select all that apply).
Web Beacons
Collects PII?
Web Bugs
Collects PII?
Session Cookies
Collects PII?
Persistent Cookies
Collects PII?
Other ...
Collects PII?
42. Does the website have
any information or pages
No
directed at children under the
age of thirteen?
Accept / Reject Status
Question 42 Comment
42a. Is there a unique
privacy policy for the
website, and does the unique
privacy policy address the
process for obtaining
parental consent if any
information is collected?
43. Does the website contain
links to non-federal
government websites
external to HHS?
Accept / Reject Status
�Question 43 Comment
43a. Is a disclaimer notice
provided to users that follow
external links to websites not
owned or operated by HHS?
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to
be filled out unless the user is an OPDIV Senior Officer for Privacy.
1. Are the questions on the
PIA answered correctly,
accurately, and completely?
Yes
Reviewer Notes
Accept / Reject Status
Accept
Question 1 Comment
2. Does the PIA
appropriately communicate
the purpose of PII in the
Yes
system and is the purpose
justified by appropriate legal
authorities?
Reviewer Notes
Not applicable.
Accept / Reject Status
Accept
Question 2 Comment
3. Do system owners
demonstrate appropriate
understanding of the impact
of the PII in the system and
provide sufficient oversight
to employees and
contractors?
Yes
Reviewer Notes
Not applicable.
Accept / Reject Status
Accept
�Question 3 Comment
4. Does the PIA
appropriately describe the
PII quality and integrity of
the data?
No
Reviewer Notes
Not applicable.
Accept / Reject Status
Accept
Question 4 Comment
5. Is this a candidate for PII
minimization?
No
Reviewer Notes
Accept / Reject Status
Accept
Question 5 Comment
6. Does the PIA accurately
identify data retention
procedures and records
retention schedules?
No
Reviewer Notes
Not applicable.
Accept / Reject Status
Accept
Question 6 Comment
7. Are the individuals whose
PII is in the system provided No
appropriate participation?
Reviewer Notes
Not applicable.
Accept / Reject Status
Accept
Question 7 Comment
�8. Does the PIA raise any
concerns about the security
of the PII?
No
Reviewer Notes
Accept / Reject Status
Accept
Accept / Reject Status
Accept
Question 8 Comment
9. Is applicability of the
Privacy Act captured
correctly and is a SORN
published or does it need to
be?
No
Reviewer Notes
Not applicable.
Accept / Reject Status
Accept
Accept / Reject Status
Accept
Question 9 Comment
10. Is the PII appropriately
limited for use internally and No
with third parties?
Reviewer Notes
Not applicable.
Accept / Reject Status
Accept
Question 10 Comment
11. Does the PIA
demonstrate compliance
with all Web privacy
requirements?
No
Reviewer Notes
Not applicable.
Accept / Reject Status
Accept
Question 11 Comment
�12. Were any changes made
to the system because of the
completion of this PIA?
No
Reviewer Notes
Accept / Reject Status
Accept
Question 12 Comment
General Comments
Status and Approvals
IC Status
IC Approved
OSOP Status
HHS Approved
OPDIV Senior Official for
Privacy Signature
HHS Senior Agency Official
for Privacy
�
| File Type | application/pdf |
| File Title | NCI Local Network PIA[1] |
| Author | Horovitch-Kelley, Vivian (NIH/NCI) [E] |
| File Modified | 2018-10-15 |
| File Created | 2018-10-15 |