PIAs, FISMA, DHP SIRT :PIAs, FISMA, DHP SIRT 2007 Data Protection Seminar TMA Privacy Office HEALTH AFFAIRS TRICARE Management Activity


Privacy Reporting Purpose :2 Privacy Reporting Purpose The purpose of this brief is to provide an overview of PIAs, FISMA, and DHP SIRT and their importance in Privacy Reporting


Privacy Reporting Objectives :3 Privacy Reporting Objectives Upon completion of this lesson, you will be able to: Specify Privacy reporting tools: Privacy Impact Assessments (PIAs) Defense Health Program System Inventory Reporting Tool (DHP SIRT) Federal Information Security Management Act (FISMA) Identify Privacy reporting requirements Describe your role in Privacy reporting


Privacy Reporting The Information and System Lifecycle :4 Privacy Reporting The Information and System Lifecycle When would you address PIAs, DHP-SIRT, and FISMA? Phase 1 Initiation Phase 2 Acquisition/ Development Phase 3 Implementation Phase 4 Operations/ Maintenance Phase 5 Disposition FISMA DHP-SIRT Start: PIA Complete: PIA


PIAs :PIAs


Privacy Reporting Overview :6 Privacy Reporting Overview What is a PIA? Purpose Content Requirements for PIAs Federal laws, Office of Management and Budget (OMB), Department of Defense (DoD), TRICARE Management Activity (TMA) PIA roles and responsibilities Preparers, reviewers, signers Completing a PIA Sources of PIA information Summary


Privacy Reporting What is a PIA? :7 Privacy Reporting What is a PIA? A PIA is an analysis of how Information in Identifiable Form (IIF)/Personally Identifiable Information (PII) is handled and protected in an IT system IIF is both personal and healthcare information PIAs are conducted to: Ensure that systems conform to legal, regulatory, and policy requirements for privacy Assess risks in the collection, maintenance and dissemination of IIF in an IT system Mitigate potential privacy risks


Privacy Reporting PIA Goals :8 Privacy Reporting PIA Goals TMA’s PIAs have four main goals: Internal Information Accountability Consistency Remediation The PIA must be a stand-alone document A PIA must be consistent with a system’s budget and security documentation


Privacy Reporting Federal PIA Requirements :9 Privacy Reporting Federal PIA Requirements E-Government Act of 2002, Section 208 Requires agencies to conduct PIAs on IT systems that collect, maintain or disseminate IIF about members of the public, or when a system is updated or significantly altered before the development of an IT system (Initiation phase) Office of Management and Budget (OMB) OMB Memo 03-22 (implementing guidance) OMB A-11 Capital Planning Process/Exhibit 300s FISMA and OMB M-05-15


Privacy Reporting DoD PIA Requirements :10 Privacy Reporting DoD PIA Requirements DoD PIA Guidance Memorandum – October 28, 2005 Issued by DoD Assistant Secretary of Defense (ASD)/ Networks Integration and Information (NII) Provided department-wide guidance for implementing the PIA requirements of the E-Government Act Followed OMB Guidance and adds DoD-specific requirements Established questionnaire format of DoD PIAs


Privacy Reporting TMA PIA Guidance :11 Privacy Reporting TMA PIA Guidance TMA PIA Guidance Memorandum – February 10, 2006 Delegates PIA compliance responsibilities to the Privacy Officer Includes TMA-specific requirements to address privacy factors Directs system owners to: Enter PIA information into the DHP SIRT Provide PIA summary


Privacy Reporting PIA Exemptions :12 Privacy Reporting PIA Exemptions Program Offices will be exempt from PIAs in accordance with OMB Memo 3-22 when: Information relates to a National Security System IT systems do not contain IIF from or about members of the public All elements of PIA are addressed in a matching agreement governed by the computer matching provisions of the Privacy Act An interagency agreement permitting the merging of data strictly for statistical purposes An evaluation that would be as stringent as the PIA process


Privacy Reporting Updating PIAs (1 of 2) :13 Privacy Reporting Updating PIAs (1 of 2) Program Offices must update PIAs or perform new ones when the following conditions occur: Conversion from manual to electronic systems Anonymous to non-anonymous data collections Significant system management changes Significant merging New public access


Privacy Reporting Updating PIAs (2 of 2) :14 Privacy Reporting Updating PIAs (2 of 2) Program Offices must update PIAs or perform new ones when the following conditions occur: Initiating use of commercial sources New Interagency Uses Changes to internal flow or collection Alteration in character of data


Privacy Reporting TMA PIA Process :15 Privacy Reporting TMA PIA Process Incorporates Federal and DoD requirements and guidance Applies to TMA and healthcare service support contractors’ systems TMA PIA Process Determination Checklist PIA Completion Package Preparation of the PIA Summary, which is forwarded to the TMA Privacy Office


Privacy Reporting PIA Roles: Program Manager :16 Privacy Reporting PIA Roles: Program Manager


Privacy Reporting TMA PIAs: Getting Started :17 Privacy Reporting TMA PIAs: Getting Started


Privacy Reporting PIA Determination Checklist :18 Privacy Reporting PIA Determination Checklist The PIA determination checklist helps determine if a PIA is required Prior to starting a PIA, the Program Manager completes the checklist The checklist includes a system description TMA Privacy Office reviews PIA determination checklist to determine if a PIA is required If a PIA is not required, the signed PIA determination checklist is evidence that no PIA is required Service Systems utilize own PIA determination process


Privacy Reporting PIA Determination Evaluation :19 Privacy Reporting PIA Determination Evaluation Systems are assessed to determine whether a PIA is required Key issues: What kind of data does the system use? Does the system contain IIF? Is the IIF about members of the public? Is the system a National Security system? Have there been major changes to the system? What is the size of the system?


Privacy Reporting PIA Completion Package :20 Privacy Reporting PIA Completion Package Documents to assist in preparing a PIA PIA process instructions DoD PIA questions PIA summary response template OMB, DoD, TMA PIA guidance TMA Privacy Office contacts and website URL


Privacy Reporting PIA System Information :21 Privacy Reporting PIA System Information Systems are identified using numbers and names that have been established for purposes other than the PIA submission, including: IT Investment Unique Identifier Budget System Identification Number (IT Registry) System Identification Number (IT Registry) System Points of Contact


Privacy Reporting PIA System Description :22 Privacy Reporting PIA System Description Key information includes: System description - purpose, boundaries, etc. System development life cycle Certification and Accreditation (C&A) status A-11 Capital planning exhibits IIF maintained in the system Subjects of IIF Privacy Act of 1974 compliance


Privacy Reporting PIA Information Sharing :23 Privacy Reporting PIA Information Sharing Key points include: Collecting IIF from sources other than directly from individuals (databases, websites, etc.) Populating IIF for other resources (databases, websites, etc.) Sharing or disclosing IIF outside TMA Computer Matching and Privacy Protection Act(s) Individual choice and notification


Privacy Reporting PIA Security Controls (1 of 2) :24 Privacy Reporting PIA Security Controls (1 of 2) Key resources include: Security control assessments Security plans Contingency plans System and data backup plans


Privacy Reporting PIA Security Controls (2 of 2) :25 Privacy Reporting PIA Security Controls (2 of 2) Key resources include: Password controls Incident response plans Physical controls (locks, guards, alarms, etc.) Controls on the use of mobile computing devices, removable storage media, remote access


Privacy Reporting PIA Risk Evaluation :26 Privacy Reporting PIA Risk Evaluation Evaluates privacy risks Collection, use and sharing of IIF/PII Consent and notice for individual data subjects Security controls Performed by TMA Privacy Office during review of completed PIA summary


Privacy Reporting PIA Summary Review :27 Privacy Reporting PIA Summary Review Completed PIA Summary reviewed by the TMA Privacy Office PIA preparer and TMA Privacy Office work together to create final version of PIA Summary Final reviewed and approved by TMA Privacy Office before signatures by Preparing Official- a Government employee Information Assurance Official (IAO) Chief Privacy Officer Chief Information Officer (CIO)


Privacy Reporting PIA Summary Processing :28 Privacy Reporting PIA Summary Processing Signed copies sent to PIA Program Office, ASD/NII, and OMB (if necessary) File copy kept in TMA Privacy Office Notification of completed PIA posted on TMA Privacy website The public may request a copy of the PIA www.tricare.mil/tmaprivacy/completed-PIAs.cfm PIA preparer updates Privacy tab of DHP SIRT database


DHP SIRT :DHP SIRT


Privacy Reporting DHP SIRT :30 Privacy Reporting DHP SIRT System Privacy information is maintained in the DHP SIRT. This system maintains information on FISMA, Business Enterprise Architecture (BEA), Interoperability, and other areas DHP SIRT is a reporting tool for DHP Funded systems DHP SIRT is a monthly process that is monitored throughout the Information and System Life Cycle Data housed in this tool is uploaded to Office of the Secretary of Defense (OSD) every month PIA preparer updates Privacy tab of DHP SIRT database to indicate PIA status


Privacy Reporting PIA and DHP SIRT Summary :31 Privacy Reporting PIA and DHP SIRT Summary The PIA is a report on the privacy protections in place on an IT system PIAs are required for a new system, or if a system is modified The TMA Privacy Office reviews and approves PIAs done for TMA systems PIA and Privacy information status is reported to OSD through the DHP SIRT


FISMA :FISMA


Privacy Reporting FISMA Overview :33 Privacy Reporting FISMA Overview What is FISMA? Purpose Content of FISMA report FISMA Privacy reporting requirements FISMA reporting roles Summary


Privacy Reporting What is FISMA? (1 of 2) :34 Privacy Reporting What is FISMA? (1 of 2) Report required by the E-Government Act of 2002, Title III Report on the security and privacy of sensitive information in Federal computer systems on: Security procedures and practices Internal oversight POA&Ms


Privacy Reporting What is FISMA? (2 of 2) :35 Privacy Reporting What is FISMA? (2 of 2) Report on the security and privacy of sensitive information in Federal computer systems on: System inventories Testing and evaluation Security controls Privacy controls


Privacy Reporting FISMA Reporting Roles :36 Privacy Reporting FISMA Reporting Roles FISMA reporting is done at the Component level (TMA, DoD agency, etc.) for systems controlled by that Component TMA Privacy Office answers FISMA questions on TMA system Privacy protections TMA Privacy Office provides supporting documentation to verify its FISMA report


Privacy Reporting FISMA Report :37 Privacy Reporting FISMA Report Annual or quarterly report on system security Annual Report includes the following sections: Instructions for completing the Annual FISMA Reporting Section for Chief Information Officers (CIOs) Reporting Section for Inspector Generals (IGs) Reporting Section for Senior Agency Official for Privacy (SAOP) Reporting Template for Micro Agencies Quarterly Reporting Template


Privacy Reporting FISMA Report - Privacy :38 Privacy Reporting FISMA Report - Privacy Section on Privacy includes: SAOP Responsibilities Information Privacy and Training PIA and Web Privacy Policies and Processes Privacy Act Reviews Policy Compliance Reviews Persistent Tracking Technology Utilization Contact Information


Privacy Reporting FISMA Report Requirements :39 Privacy Reporting FISMA Report Requirements FISMA reporting for FY07 requires: Breach Notification Policy Implementation plan to eliminate unnecessary use of Social Security Numbers (SSNs) Implementation plan and progress update on review and reduction of holdings of Personally Identifiable Information (PII) Policy outlining rules of behavior and identifying consequences and corrective actions


Privacy Reporting FISMA Report Disposition :40 Privacy Reporting FISMA Report Disposition TMA Privacy Office FISMA report forwarded to OSD OSD compiles FISMA reports from TMA, Services, and DoD agencies into a consolidated FISMA report FISMA reports from Federal agencies and departments sent to OMB


Privacy Reporting Summary :41 Privacy Reporting Summary You should now be able to: Identify Privacy reporting requirements Specify Privacy reporting tools: PIAs DHP SIRT FISMA Describe your role in Privacy reporting


Privacy ReportingResources (1 of 2) :42 Privacy ReportingResources (1 of 2) E-Government Act of 2002, Section 208 Privacy Act of 1974 TMA PIA Policy, February 10, 2006 OMB Memo 3-22,”OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002” DoD PIA Guidance, October 28, 2005 http://www.tricare.osd.mil/tmaprivacy/HIPAA.cfm http://www.tricare.osd.mil/tmaprivacy/Mailing-List.cfm to subscribe to the TMA Privacy Office E-News PIAmail@tma.osd.mil for PIA subject matter questions


Privacy Reporting Resources (2 of 2) :43 Privacy Reporting Resources (2 of 2)


Slide 44:Please fill out your critiqueThank You! TRICARE Management Activity HEALTH AFFAIRS