1625-0127 Privacy Impact Assessment (PIA)

24_0226_privacy-pia022a-cgmix-update (1).pdf

Marine Transportation System Recovery

1625-0127 Privacy Impact Assessment (PIA)

OMB: 1625-0127

Document [pdf]
Download: pdf | pdf
Privacy Impact Assessment
for the

Coast Guard Maritime Information
eXchange (CGMIX)
DHS Reference No. DHS/USCG/PIA-022(a)
February 26, 2024

Privacy Impact Assessment Update
DHS/USCG/PIA-022(a) CGMIX
Page 1

Abstract
The United States Coast Guard (USCG) owns and operates the Coast Guard Maritime
Information eXchange (CGMIX) system. CGMIX provides USCG maritime-related information
to the public and facilitates information sharing to federal, state, tribal, territorial, and local
governments. USCG is publishing this Privacy Impact Assessment (PIA) update because the
Contingency Preparedness System (CPS) is now included in the CGMIX system boundary and
maintains personally identifiable information (PII).

Overview
The purpose of the CGMIX website is to make Coast Guard maritime information available
on the public internet in the form of searchable databases. Much of the information in the CGMIX
website comes from Coast Guard’s Marine Information for Safety and Law Enforcement (MISLE)
information system. 1 CGMIX is owned and funded by the USCG Office of Command, Control,
Communication and Computers (C4) & Sensor Capabilities (CG-761). CGMIX supports USCG’s
marine safety, security, environmental protection, and law enforcement program mission areas.
CGMIX permits the Coast Guard to accomplish the following statutory requirements: to establish
a Marine Safety Information System to collect information on commercial vessels operating in
U.S. waters; 2 to establish the Vessel Identification System to make available information on the
ownership of documented and state registered vessels; 3 and to make reports of investigations
available to the public. 4 CGMIX and its components are listed as data sources on the Data.gov
website 5 in response to the Open Government Directive. 6
CGMIX is being updated to include the Contingency Preparedness System within the
CGMIX boundary. CGMIX previously consisted of three web-based applications sharing the same
hardware in the Demilitarized Zone (DMZ): 7 (1) Vessel Identification System (VIS); (2) Response
Resource Inventory (RRI); and (3) the Common Assessment and Reporting Tool (CART). CGMIX
includes ten sub-applications, which are discussed below.
See U.S. DEPARTMENT OF HOMELAND SECURITY, U.S. COAST GUARD, PRIVACY IMPACT
ASSESSMENT FOR THE MARINE INFORMATION FOR SAFETY AND LAW ENFORCEMENT,
DHS/USCG/PIA-008 (2009), available at https://www.dhs.gov/privacy-documents-us-coast-guard.
2
46 U.S.C. § 3717.
3
46 U.S.C. § 12501.
4
46 U.S.C. § Part D.
5
See THE HOME OF THE U.S. GOVERNMENT’S OPEN DATA, available at Data.gov Home - Data.gov.
6
See EXECUTIVE OFFICE OF THE PRESIDENT OF THE UNITED STATE, OFFICE OF MANAGEMENT
AND BUDGET, OMB M-10-06, OPEN GOVERNMENT DIRECTIVE (2010), available at
https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2010/m10-06.pdf.
7
Demilitarized Zone is the perimeter network segment that is logically between internal and external networks that
enforces internal network Information Assurance (IA) policy for external information exchange and to provide
external untrusted sources with restricted access to releasable information while shielding the internal networks from
outside attacks.
1

Privacy Impact Assessment Update
DHS/USCG/PIA-022(a) CGMIX
Page 2

CGMIX also makes non-sensitive pollution incident reports available to the general public
and does not require a login for access to this information. Data in the CGMIX application is
derived from the USCG Marine Information for Safety and Law Enforcement and the National
Response Center’s Incident Reporting Information System (IRIS), 8 and is scrubbed to remove
personally identifiable information and any sensitive data prior to posting.
By making information in CGMIX directly available to the public, CGMIX provides
information outside of the Freedom of Information Act (FOIA) process, expedites delivery of the
information to the requestor, and provides transparency of Coast Guard missions. CGMIX and its
sub-applications were developed to address the frequency of requests for related information and
to support extraction of that information from the source database, typically, the Marine
Information for Safety and Law Enforcement system.
Vessel Identification System (VIS)
The Vessel Identification System is the USCG repository for U.S. state registered
recreation vessels. The data in the Vessel Identification System consists of registration and
ownership data from participating states and the USCG National Vessel Documentation Center.
Vessel Identification System data is only accessible to numbering and titling, registration, and law
enforcement personnel of Vessel Identification System participating states and federal agencies. 9
The Vessel Identification System contains owner and vessel information on vessels registered or
titled by a state or territorial government and requires a user log-in for access. The Vessel
Identification System is also available to all Marine Information for Safety and Law Enforcement
system users. The Vessel Identification System collects vessel registration data (e.g., name,
address, date of birth, Social Security number (SSN), driver’s license number, and tax
identification number (TIN)) 10 of the vessel owner from vessel registration databases of states that
have a Memorandum of Agreement (MOA) with the USCG.
A typical Vessel Identification System search begins with the user accessing the Vessel
Identification System website and entering their credentials. The user submits search criteria (e.g.,
owner first or last name, vessel name, registration number) to conduct a Vessel Identification
System search. When a match is found, the system returns the owner’s name, date of birth, Social
Security number, driver’s license number, address, and tax identification number. The system also
provides data associated with the vessel (e.g., name, primary use, length), law enforcement
See U.S. DEPARTMENT OF HOMELAND SECURITY, U.S. COAST GUARD, PRIVACY IMPACT
ASSESSMENT FOR THE INCIDENT REPORTING INFORMATION SYSTEM (IRIS), DHS/USCG/PIA-023
(2015 and subsequent updates), available at https://www.dhs.gov/privacy-documents-us-coast-guard.
9
See https://cgmix.uscg.mil/VISInformation.aspx for a list of participating states.
10
Taxpayer identification number is the number used by the Internal Revenue Service (IRS) to uniquely identify a
taxpayer. If the vessel owner is an individual, the taxpayer identification number is the Social Security number. If
the vessel owner is a corporation or other organization, the IRS assigns a unique taxpayer identification number to
that entity.
8

Privacy Impact Assessment Update
DHS/USCG/PIA-022(a) CGMIX
Page 3

infractions (e.g., date reported stolen, vessel insurance number, insurance company name),
historical registration (e.g., previous title or state number, previous issuing state), and lien and title
information (i.e., title number, effective title date, name and address of each secured party, lien
holder).
Response Resource Inventory (RRI)
The Response Resource Inventory is a web-based application that Oil Spill Recovery
Organizations (OSRO) 11 use to submit and edit available pollution response equipment
inventories. The Response Resource Inventory requires a user log-in for access and is available to
USCG personnel assigned to the National Strike Force Coordination Center (NSFCC) and any Oil
Spill Recovery Organizations authorized to submit pollution response equipment inventories by
the National Strike Force Coordination Center. Oil Spill Recovery Organizations may submit, edit,
and review inventories they have available for disaster response. Authorized personnel access the
Response Resource Inventory via a multifactor sign-in solution, through which users are
authenticated by username, password, and a one-time-passcode (OTP), which is auto-generated.
Common Assessment and Reporting Tool (CART)
The Common Assessment and Reporting Tool is an application used to report and
document the Marine Transportation System (MTS) status following a transportation disruption
significantly affecting the Marine Transportation System that will, or is anticipated to, last longer
than 72 hours. The Common Assessment and Reporting Tool requires a user log-in and is available
only to USCG personnel and Marine Transportation System stakeholders (i.e., local, federal, and
state personnel) in the Captain of the Port zone impacted by a pollution incident or marine casualty.
The system administrator at each Captain of the Port manages Common Assessment and Reporting
Tool user accounts, including account approvals, account deletions, and assignment of roles to
accounts.
USCG personnel and stakeholders access the Common Assessment and Reporting Tool via
a web browser from their computer. After entering their username and password, users can perform
the following tasks:
•

Provide timely and accurate information on pre-incident conditions in a sector or other
local unit’s area of responsibility;

•

Facilitate the comparison of pre-incident (baseline) data and post-incident data to
characterize the extent of the impact on the Marine Transportation System;

The Oil Spill Recovery Organization is a voluntary program established by the USCG and was developed to assist
oil-handling facilities and vessels prepare spill response plans.
11

Privacy Impact Assessment Update
DHS/USCG/PIA-022(a) CGMIX
Page 4

•

Generate Marine Transportation System Executive Summary Reports to ease
information sharing with local, regional, and national level Marine Transportation
System stakeholders; and

•

Document and share Marine Transportation System recovery status and impact reports
in near real-time at all organizational levels.

CGMIX also includes ten public-facing, searchable modules (sub-applications) to share maritimerelated Marine Information for Safety and Law Enforcement data with the public. The modules
are available to the public at https://cgmix.uscg.mil/:
1) USCG Approved Equipment Listing (EQList): The USCG Approved
Equipment module contains searchable listings of equipment and materials
approved or certified by the USCG for use on commercial vessels and recreational
boats such as life jackets, fire extinguishers, and navigation systems. EQList does
not maintain personally identifiable information. Entities interested in having their
product included in EQList must submit an application to the USCG Office of
Design Engineering (CG-ENE). CG-ENE personnel enter data from the approved
applications into the Marine Information for Safety and Law Enforcement system.
2) USCG Accepted Laboratories: The Accepted Independent Material and
Equipment Laboratories Database (EQLabs) is an online searchable database that
contains a listing of USCG Accepted Laboratories for testing of materials and
equipment. It is intended for use by manufacturers of commercial and recreational
safety equipment and material to locate and contact USCG accepted independent
laboratories for testing purposes for USCG Type Approval.
3) USCG Liferaft Servicing Facilities: An online searchable database containing a
listing of USCG accepted liferaft servicing facilities, which includes the business
contact information of the facilities.
4) Port State Information eXchange (PSIX): Port State Information eXchange
contains detailed information related to a vessel’s length, breadth, depth,
documentation, certifications, deficiency information, and interactions (e.g.,
boardings, inspections, investigations, response actions) with USCG. Only nonsensitive fields 12 are disseminated to the public. Users may query by vessel name,
12
Non-sensitive fields are data fields within the system known not to contain personally identifiable information or
other information that is not releasable to the public (e.g., For Official Use Only, Law Enforcement Sensitive).
Those fields are known not to contain sensitive information because they are either list fields or are field types (such
as date fields) that cannot contain sensitive information. The only exception to this is the Incident Brief, which is a
free form text field. However, the text fields are manually reviewed and scrubbed for personally identifiable
information before release.

Privacy Impact Assessment Update
DHS/USCG/PIA-022(a) CGMIX
Page 5

vessel number, hull identification number, vessel call sign, vessel flag, vessel
service, or vessel build year.
5) XML Web Services: XML Web Services exposes data 13 provided by the Port State
Information eXchange, USCG Approved Equipment, and the International
Convention for the Prevention of Pollution from Ships (MARPOL) Certificates of
Adequacy 14 modules to provide users the ability to integrate these searches into
their own applications. To access the XML Web Services module, users click on
the XML Web Services link from CGMIX, review the Service Definitions for that
module, then write the code for the operation they wish to execute.
6) Security Plan Review: Security Plan Review provides vessel and facility operators
the ability to check on the status of their security plans submitted to the USCG.
Users must provide the tracking number they received when they submitted their
security plan to obtain results.
7) Incident Investigation Reports (IIR): The Incident Investigation Reports (IIR)
module is an on-line searchable interface for external users to retrieve information
about reportable marine casualties 15 that were investigated and have a closed status
in the Marine Information for Safety and Law Enforcement system. The
investigation data may contain information about involved organizations, vessels,
or facilities. This data is sanitized of any personally identifiable information or
sensitive information prior to posting to CGMIX. The user may query the Incident
Investigation Reports module by entering an activity number, date range, vessel
service, name of the involved vessel/organization/facility, or keyword. The Incident
Investigation Reports module provides information outside of the Freedom of
Information Act process and meets the investigation report publication
requirements of 46 U.S.C. § Part D.
8) International Convention for the Prevention of Pollution from Ships
(MARPOL) Certificates of Adequacy: The MARPOL Certificates of Adequacy
“Exposes data” means that the utility facilitates copying the data to other systems. It is the same data that is
otherwise available from Port State Information eXchange. However, it avoids the need to make individual queries
for the data. This service was requested by members of the public that use Port State Information eXchange data in
their own database applications.
14
See Module 8.
15
USCG is required to investigate marine casualties in accordance with 46 U.S.C. § 6301 and prepare reports of
those investigations in accordance with 46 U.S.C. § 6305. The CGMIX Incident Investigation Report (IIR) meets
the mandate in 46 U.S.C. § 6101(i) to publish reports of investigation in an electronic format. It states, “[t]he
Secretary shall, as soon as possible, and no later than January 1, 2005, publish all marine casualty reports prepared
in accordance with this section in an electronic form.” A separate section, 46 U.S.C. § 6101(b), requires vessel
operators to report marine casualties to the Coast Guard. However, the investigation reports for each incident
prepared by the Coast Guard are posted, not the vessel operator reports to the Coast Guard.
13

Privacy Impact Assessment Update
DHS/USCG/PIA-022(a) CGMIX
Page 6

module disseminates the name, address, phone number, and the Captain of the Port
zone for facilities that comply with the requirements of Annexes I, II, and V of the
1978 Protocol to the MARPOL. This allows users to search for certified waste
reception facilities and provides the facility location and types of waste accepted
by the facility. The information is entered into the Marine Information for Safety
and Law Enforcement system by USCG personnel when they issue the MARPOL
certifications. Facilities interested in certification as a MARPOL reception facility
should contact the nearest Captain of the Port for certification requirements.
9) National Vessel Documentation Center (NVDC) Packet Status: A method for
individuals and organizations of the maritime community to check the status of
applications submitted to the National Vessel Documentation Center for services
(i.e., Certificate of Documentation, Abstract of Title, Renewals). Users enter
specific vessel information and are provided the vessel official number, hull
identification number, and file date/time to confirm their application was received.
This database module does not contain or disseminate Personally Identifiable
Information.
10) National Response Center/Incident Reporting Information System (IRIS):16
Provides non-sensitive pollution incident reports to the public and does not require
a login for access. Data is derived from the Marine Information for Safety and Law
Enforcement system and Incident Reporting Information System and is scrubbed
to remove personally identifiable information and any sensitive data prior to
posting.
CGMIX safeguards personally identifiable information by user authentication, user access
agreements, collecting only data elements legally authorized to be collected, and ensuring
compliance with USCG, DHS, and Federal Information Security Management Act (FISMA)
system security policies.

Reason for the PIA Update
This Privacy Impact Assessment is being updated to include the Contingency Preparedness
System (CPS) in the CGMIX system boundary. CGMIX was designated the proper hosting
designation for CPS because of CGMIX’s database size and the technical support required for
CPS. Additionally, CGMIX has the proper security protocols and technical expertise in place if
CPS has future needs to share data with external DHS offices or the public.
See U.S. DEPARTMENT OF HOMELAND SECURITY, U.S. COAST GUARD, PRIVACY IMPACT
ASSESSMENT FOR THE INCIDENT REPORTING INFORMATION SYSTEM (IRIS), DHS/USCG/PIA-023
(2015 and subsequent updates), available at https://www.dhs.gov/privacy-documents-us-coast-guard.
16

Privacy Impact Assessment Update
DHS/USCG/PIA-022(a) CGMIX
Page 7

Contingency Preparedness System (CPS)
The Contingency Preparedness System is the application that supports the Coast Guard
After Action Program (CGAAP). CPS provides the functionality required by the USCG to rapidly
retrieve data on contingency exercises and actual events, lessons learned, and associated corrective
actions. This enables contingency plan improvement and rapid response to senior leader, DHS,
and congressional queries regarding the fulfillment of the Coast Guard’s legislative and policy
mandated exercise requirements. The lessons learned, best practices, and corrective actions
documented in CPS are searchable by any authorized user of CGMIX. CPS content is used to
inform emergent contingency response operations, support policy development and revision, and
increase senior leader awareness of challenges and opportunities for improvement to Coast Guard
contingency response operations. CPS contains USCG personnel names, work addresses, work
email addresses, and work telephone numbers, which are included in after action reports to
designate a point of contact for each report.
Privacy Impact Analysis
Authorities and Other Requirements
The following specific legal authorities are included for the Contingency Preparedness
System:

17

•

6 U.S.C § 748 authorizes the Federal Emergency Management Agency Administrator 17 in
coordination with the heads of appropriate Federal agencies, the National Council on
Disability, and the National Advisory Council, to carry out a national training program to
implement the national preparedness goal, National Incident Management System,
National Response Plan, and other related plans and strategies.

•

10 U.S.C § 321 authorizes the U.S. armed forces under the jurisdiction of the Secretary of
Defense to train with the military forces or other security forces of a friendly foreign
country if the Secretary determines that it is in the national security interest of the United
States to do so.

•

6 U.S.C. § 913 authorizes the U.S. Coast Guard to require each high-risk facility to conduct
live or full-scale exercises.

•

44 U.S.C. § 3501 and the Open Government Directive authorize the USCG to provide
information to the public and reduce paper usage.

See 6. U.S.C. § 311 (1) and (2).

Privacy Impact Assessment Update
DHS/USCG/PIA-022(a) CGMIX
Page 8

18

•

46 U.S.C. § 12501 authorizes the USCG to establish a Vessel Identification System and to
make the ownership of documented, numbered, and state titled vessels available to law
enforcement.

•

46 U.S.C. § 12503 authorizes collection of social security numbers of vessel owners in the
Vessel Identification System.

•

46 C.F.R. 159.010-5 authorizes the collection of information from applicants seeking to be
identified as USCG Accepted Laboratories.

•

46 C.F.R. 160.151-41 authorizes the collection of information from applicants seeking to
be identified as a USCG “approved servicing facility” for inflatable liferafts.

•

USCG-approved equipment is authorized under the U.S.-European Commission (EC)
Mutual Recognition Agreement (MRA) and the U.S.-European Economic Area (EEA)
European Free Trade Association (EFTA) Mutual Recognition Agreement. 18

•

46 C.F.R. Part 4, Subpart 4.05 Notice of Marine Casualty and Voyage records authorizes
USCG to collect incident investigation reports. For CGMIX, these reports are limited to
reportable marine casualty data as defined in 46 U.S.C. Subtitle II, Part D Chapter 61 (h).
46 CFR Part 4, Subpart 4.13 public availability addresses public access to marine casualty
and investigation records.

•

The National Response Center database module is authorized to collect data under 40 CFR
300.125(a), which establishes USCG as the single point of contact for all pollution incident
reporting, and 40 CFR 300.125(c), which authorizes USCG to collect information and
receive notification about oil or hazardous substances. The information is provided to the
National Response Center Duty Officer, located at USCG Headquarters.

•

Homeland Security Exercise and Evaluation Program (HSEEP) 2020 establishes the
principles for exercise and evaluation programs, as well as a common approach to exercise
program management, design and development, conduct, evaluation, and improvement
planning.

•

Maritime Transportation Security Act (MTSA) of 2002 and the Security and
Accountability for Every Port Act (SAFE Port Act) of 2006 authorize the collection and
dissemination of information to federal, state, and USCG partners approved to access the
Common Assessment Reporting Tool.

For more information, see http://www.uscg.mil/hq/cg5/cg5214/mra.asp.

Privacy Impact Assessment Update
DHS/USCG/PIA-022(a) CGMIX
Page 9

Characterization of the Information
CGMIX collects information from established relationships and associations with vessels,
marine transportation facilities, and activities regulated by USCG. Specifically, established
relationships and associations include those with vessel owners, operators, charterers, masters,
crew and/or agents, mortgagees, lien claimants, vessel builders, facility owners, managers or
employees, individuals who own, operate, or represent marine transportation companies, and other
individuals who come in contact with the USCG through its law enforcement, marine safety,
investigation, and environmental activities.
The Contingency Preparedness System maintains the following personally identifiable
information:
•

Employee name;

•

Employee work address;

•

Employee work phone; and

•

Employee work email.
Uses of the Information

There are no updates related to uses of information. There are no new privacy risks
associated with uses of information.
Notice
USCG is providing general notice of the inclusion of the Contingency Preparedness System
in CGMIX through this Privacy Impact Assessment update.
Data Retention by the Project
The records retention schedule for the Contingency Preparedness System is number N1026-05-014:
1. Exercise Records: Delete when data has been verified and no longer needed for
reference.
2. Contingency Plans: Delete when data has been verified and no longer needed for
reference.
3. After Action Reports and Lessons Learned: Delete when data has been verified and
no longer needed for reference.
4. Exercise and Plans Data: Delete 20 years after cutoff, or when no longer needed for
reference, whichever is later.

Privacy Impact Assessment Update
DHS/USCG/PIA-022(a) CGMIX
Page 10

5. Standard After Action Information and Lessons Learned System (CG-SAILS):
Permanent, transfer to NARA every third calendar year.
6. Outputs: Destroy when no longer needed for administrative use.
7. System Documentation: Permanent, transfer to NARA any updates.
8. Electronic Mail and Word Processing System Copies: Delete within 180 days after
recordkeeping copy has been made. Delete when dissemination, revision, or
updating is complete for copies used for dissemination, revision, or update.
Information Sharing
There are no updates related to information sharing. There are no new privacy risks
associated with information sharing.
Redress
An individual may seek access to their records by filing a Privacy Act or Freedom of
Information Act request. Only U.S. citizens, lawful permanent residents, and covered citizens of
designated foreign countries or regional economic integration organizations under the Judicial
Redress Act (JRA) are afforded access under the Privacy Act. Individuals not covered by the
Privacy Act or Judicial Redress Act may still obtain access to records consistent with Freedom of
Information Act requests unless disclosure is prohibited by law or if the agency reasonably
foresees that disclosure would harm an interest protected by an exemption. An individual may file
a Privacy Act or Freedom of Information Act request electronically at https://www.dhs.gov/foia.
Individuals may also submit requests to the USCG Freedom of Information Act Officer by mail,
facsimile, or email:
Commandant (CG-6P)
Attn: FOIA/PA Officer
U.S. Coast Guard
2703 Martin Luther King, Jr. Ave. SE STOP 7710
Washington, D.C. 20593-7710
Fax: (202) 372-8413
[email protected]
To conform to the Privacy Act regulations set forth in 6 CFR Part 5, the individual must first verify
their identity, including their full name, current address, and date and place of birth. The individual
must sign the request. The individual’s signature must either be notarized or submitted under 28
U.S.C. § 1746, a law that permits statements to be made under penalty of perjury as a substitute
for notarization. In addition, the individual should:
•

explain why they believe the USCG would have the information being requested;

•

specify when the individual believes the records would have been created; and

Privacy Impact Assessment Update
DHS/USCG/PIA-022(a) CGMIX
Page 11

•

if the request is seeking records pertaining to another living individual, the request must
include an authorization from the individual whose record is being requested,
authorizing the release to the requester.

Without the above information, the USCG may not be able to conduct an effective search, and the
individual’s request may be denied due to lack of specificity or lack of compliance with applicable
regulations. All or some of the requested information may be exempt from access pursuant to the
Privacy Act to prevent harm to law enforcement investigations or interests. Providing an individual
access to these records could inform the target of an actual or potential criminal, civil, or regulatory
investigation or reveal investigative interest on the part of DHS or another agency. However,
USCG evaluates requests for access and redress on a case-by-case basis.
Auditing and Accountability
This update does not impact auditing and accountability. There are no new privacy risks
associated with auditing and accountability.

Contact Official
LCDR Myles Richardson
C5I Sponsor Representative
Office of (C5I) Capabilities (CG-761)

Responsible Official
Kathleen L. Claffie
Chief, Office of Privacy Management (CG-6P)
U.S. Coast Guard
[email protected]

Approval Signature
Original, signed version on file at the DHS Privacy Office.
________________________________
Mason C. Cutter
Chief Privacy Officer
U.S. Department of Homeland Security
(202) 343-1717


File Typeapplication/pdf
File TitleDepartment of Homeland Security Privacy Impact Assessement Update
SubjectDepartment of Homeland Security Privacy Impact Assessement Update
Authorrwjohnson
File Modified2024-02-26
File Created2024-02-26

© 2024 OMB.report | Privacy Policy