Pia

Privacy Impact Assessment Form

v 1.47.4

Status Revised Form Number Form Date 10/03/2019

Question Answer

1 OPDIV:

National Institutes of Health

2 PIA Unique Identifier:

TBD

2a Name:

NCI Office of Acquisitions System (OASYS)

General Support System (GSS) Major Application

Minor Application (stand-alone)

3 The subject of this PIA is which of the following?

Minor Application (child)

Electronic Information Collection Unknown

_3a Identify the Enterprise Performance Lifecycle Phase _{Implementation} of the system.

3b Is this a FISMA-Reportable system?

Yes No

Does the system include a Website or online _Yes

4 application available to and for the use of the general

public? ^No

Agency

5 Identify the operator.

Contractor

POC Title Business Owner

POC Name Teresa A. Baughman

_{6 Point of Contact (POC):} POC Organization NCI - Office of Acquisitions POC Email teresa.baughman@nih.gov POC Phone 240-276-5397

New

7 Is this a new or existing system?

Existing

Yes

8 Does the system have Security Authorization (SA)?

No

8a Date of Security Authorization

09/07/2017

11 Describe the purpose of the system.

The OASYS and FCAS system was originally created to replace OA’s SharePoint site that was used for routing and approval of post-award contract correspondence (e.g. invoices and deliverables) submitted by contractors during contract period of performance and for close-out. At a base level, the OASYS Contract Administration module provides OA the same routing process for approving/rejecting vendor correspondence while receiving recommendation from the Program Office. The goal from the point of design was to incorporate additional functionality found in other systems such as eContracts and Yellowtask. With the addition of Vendor Portal which will incorporate the functionality of Task Order Request For Proposal (TORFP)-EZ, the TORFP-EZ system will be retired.

The overall goal for implementing the OASYS and FCAS system is to assist NCI OA with consolidating multiple systems used throughout the acquisition life-cycle and streamline the process of collaboration between the Office of Acquisitions and the Program Office. After the implementation of the Contract Administration module, the system’s user interface (UI) was improved to include user feedback and provide a smooth transition for the upcoming modules to accomplish this goal. The system also includes modules for planning and solicitations as well as a document repository where file reviews can be done.

OASYS and FCAS is a supplemental system that does not usurp the authority of the principle contracting system National Institutes of Health (NIH) Business System (NBS) PRISM. PRISM remains the system of record for contract awards. OASYS and FCAS do not usurp the authority of NBS Oracle Financial as the system of record for contract funding actions, invoice approval and payment processing.

Describe the type of information the system will _{OASYS utilizes data in two ways:}

₁₂ collect, maintain (store), or share. (Subsequent

questions will identify if this information is PII and ask _{1 Acquisition and contract data is pulled from the NIH data}

^{about the specific data elements.)} warehouse (nVision), on a read-only basis, and displayed to

^{Provide an overview of the system and describe the} The Office of Acquisitions System (OASYS) is a Web based

13 information it will collect, maintain (store), or share, _{application. It utilizes data from the NIH data warehouse}

^{either permanently or temporarily.} (nVision) as well as information collected directly by OASYS to

Yes

14 Does the system collect, maintain, use or share PII?

No

20 Describe the function of the SSN.

System does not collect, store, or process SSNs.

20a Cite the legal authority to use the SSN. _{Not applicable (see question 20)}

₂₁ Identify legal authorities governing information use _{42 U.S.C. 241(d), 281.} and disclosure specific to the system and program.

Are records on the system retrieved by one or more ^Yes

²² PII data elements? _No

Published: 09-25-0216 NIH Electronic Directory (NED)

Identify the number and title of the Privacy Act _{09-25-0118 Contracts: Professional Services 22a} System of Records Notice (SORN) that is being used ^Published: _Contractors

to cover the system or identify if a SORN is being

developed.

Published:

In Progress

Directly from an individual about whom the information pertains

In-Person Hard Copy: Mail/Fax

Email Online

Other Government Sources

Within the OPDIV Other HHS OPDIV

²³ Identify the sources of PII in the system. _{State/Local/Tribal}

Foreign Other Federal Entities

Other Non-Government Sources

Members of the Public Commercial Data Broker Public Media/Internet

Private Sector

Other

_23a Identify the OMB information collection approval _{In Progress} number and expiration date.

Yes

24 Is the PII shared with other organizations?

No

Is the submission of PII by individuals voluntary or ^Voluntary

²⁶ mandatory? _Mandatory

The PII data is sourced from existing DHHS/NIH systems (NED, nVision). Those systems own the responsibility for allowing users to opt out of providing certain information. OASYS and FCAS does not collect any new PII.

Once the Vendor Portals are released, in order to obtain a vendor portal account, the vendor's business official is required to provide his or her name, title, their vendor email address,

^{Describe the method for individuals to opt-out of the} etc., as noted above. Vendor's are not required to respond to

₂₇ ^{collection or use of their PII. If there is no option to} or bid on task orders. If they elect to respond to a request for ^{object to the information collection, provide a} proposal or revised proposal, they must provide required PII to

^reason. establish the account for validation. This is to ensure that access is provided only to authorized vendor users, to facilitate proper routing and notification of subsequent award decisions, and to ensure that NCI users are able to contact awardees through the system post-award. The contractors must submit their deliverables, invoices, requests, notifications and other correspondence, through the vendor portal. Terms and conditions will be included in NCI OA awards mandating this.

OASYS does not collect new PII, but uses PII shared under _{Describe the process to notify and obtain consent} agreement with other NIH source systems previously

from the individuals whose PII is in the system when ^mentioned.

major changes occur to the system (e.g., disclosure

_{28 and/or data uses have changed since the notice at} Once Vendor Portals are released, vendor's business officials

the time of original collection). Alternatively, describe ^{will be contacted using the email and/or phone number}

_{why they cannot be notified or have their consent} information provided in their proposals/quotes and invited to

_obtained. submit revised proposals. Contractors with current contracts

as of go live, will be given instructions by NCI OA, to establish a

vendor portal profile for contract administration.

OASYS does not collect PII, but uses shared PII under agreement with other NIH source systems. Those systems are responsible for resolving individuals' concerns over its use.

^{Describe the process in place to resolve an} However, if anyone feels their data has been inappropriately ^{individual's concerns when they believe their PII has} used as a result of OASYS and FCAS, then users can contact the

29 been inappropriately obtained, used, or disclosed, or _{OASYS and FCAS help desk.} that the PII is inaccurate. If no process exists, explain

^{why not.} For Vendor Portals, the NCI OA will review its system logs and any other available historical information, and will work with the NCI Privacy Coordinator to investigate such concerns raised by vendor users.

Describe the process in place for periodic reviews of

₃₀ PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no

processes are in place, explain why not.

A PIA review will be conducted each time major OASYS and FCAS functionality is released that utilizes addition data (NED, nVision) beyond the data included in the previous PIA. Minimally, a PIA review will be conducted yearly.

₃₁ Identify who will have access to the PII in the system and the reason why they require access.

Users

Responsible for creating and managing requirements; Reviewing and dispositioning contract correspondence including OA and Program staff.

Administrators

Responsible for Access control, Operations and Maintenance (O&M) support and in some cases the same responsibilities as "Users".

Developers

Testing and customer defect resolution may expose these users to PII.

Contractors

NCI contractor employees may be involved in the review correspondence process. Also, vendor users with vendor administrator roles would have access to their own firm's vendor profile.

Others

^{Describe the procedures in place to determine which} All requests for access to OASYS and FCAS will be assigned an

^{32 system users (administrators, developers,} appropriate profile (role) and approved by the System Owner ^{contractors, etc.) may access PII.} before being implemented by the system administrator.

Describe the methods in place to allow those with

_{33 access to PII to only access the minimum amount of} Role based access controls are used to limit users' access to PII

_{information necessary to perform their job.} based on their defined job function and system role.

Each time the user initiates a new session, they are presented with a Terms of Use screen that will remind them of their

^{Identify training and awareness provided to} responsibilities in protecting PII. All users are on the NIH ^{personnel (system owners, managers, operators,} network have completed security, privacy, and records

₃₄ contractors and/or program managers) using the _{management training.} system to make them aware of their responsibilities

^{for protecting the information being collected and} Additionally, all NCI staff and NCI contractors who will have ^maintained. access to the system or to the PII data complete the NIH

Security, Privacy, and Insider Threat course. This course is refreshed and all users must re-take each year.

_{Describe training system users receive (above and} All users are provided an opportunity to attend in-person

_{35 beyond general security and privacy awareness} OASYS and FCAS training sessions, and these sessions are

_training). scheduled on a regular basis. There are also training guides

available directly through the applications.

Do contracts include Federal Acquisition Regulation _Yes

36 and other appropriate clauses ensuring adherence to

privacy provisions and practices? ^No

Describe the process and guidelines in place with

37 regard to the retention and destruction of PII. Cite specific records retention schedules.

NIH Manual Chapter 1743, Appendix 1 allows records to be destroyed after a maximum period of six years and three months after final payment. Also, FAR 4.703(a)(b)(c)(d).

Describe, briefly but with specificity, how the PII will

38 be secured in the system using administrative, technical, and physical controls.

PII will not be exposed to users via business logic. PII data elements will be encrypted. Access to administrative features of the system will be controlled by ISSO and access permissions will be reviewed quarterly to ensure that users are aged out of the system. The system is operated inside the NCI Managed Data Center, within a dedicated federally leased building with armed guards, badge access, video surveillance; it is operated within the NCI's LAN GSS, which provides numerous technical security controls on behalf of its customers including firewalls, IDS/IPS, vulnerability scanners, centralized patching, host-based malware detection and prevention, and log aggregation and analyses.

General Comments

OPDIV Senior Official for Privacy Signature