ML18303A105

From kanterella
Jump to navigation Jump to search
Financial Accounting and Integrated Management Information System (Faimis)
ML18303A105
Person / Time
Issue date: 10/10/2018
From: Anna Mcgowan
NRC/OCIO
To:
References
Download: ML18303A105 (16)


Text

ADAMS ML18303A105 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Financial Accounting and Integrated Management Information System (FAIMIS)

Date: October 10, 2018 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system:

The Financial Accounting and Integrated Management Information System (FAIMIS) is a multi-tier, distributed, financial management system supporting dynamic interoperability with other federal systems and providing the means to record financial transactions. FAIMIS is based upon the CGI Momentum' Enterprise Resource Planning (ERP) COTS suite. FAIMIS records purchasing, accounts receivable, accounts payable, disbursements, and other budget activities that are integrated so the transactions, when processed, can update budgets, financial plans, and the general ledger. FAIMIS also offers the functions needed to consolidate financial reports and controls.

FAIMIS is a subsystem of the Office of the Chief Financial Officer (OCFO)

Financial Management System (FMS) FISMA boundary. FMS will provide a framework for managing cybersecurity compliance for OCFO financial services and systems used by NRC. FMS is an umbrella system that consists of subsystems which support mission and business functions that OCFO provides for the agency.

Using FAIMIS, NRC staff is able to:

  • Track and manage the budget
  • Compute and track performance data
  • Distribute project costs to appropriate offices
  • Provide user-defined queries
  • Perform on-line analytical processing to enhance decision processing 1
  • Program spending alerts for key budget items
  • Provide real-time and ad hoc reporting capabilities
  • Bill and collect NRC License Fee Billing costs/fees
  • Capitalize property
2. What agency function does it support?

FAIMIS is the NRC core financial management system supporting all financial functions and provides agency compliance with Federal proprietary and budgetary accounting and financial reporting requirements. FAIMIS also performs license fee billing and collection, cost accounting, funds control, and capitalized property.

3. Describe any modules or subsystems, where relevant, and their functions.

The modules comprising the FAIMIS application and their purpose are described below:

  • Accounts Payable: Tracks all information needed to properly record the expenditure of agency funds.
  • Accounts Receivable: Records, monitors, and controls all activities in the clients billing and collection process.
  • Automated Disbursements: Allows the client to disburse funds through the United States Department of the Treasury.
  • Budget Execution: Automates the budget execution process by recording numerous budgetary control levels and validates budgetary financial activity.
  • Cost Allocation: Provides the capability to distribute costs or revenues for accounting or reporting purposes based on client-defined criteria.
  • General Ledger: Provides all the necessary financial postings for all transactions across all subsystems, and provides a complete audit trail of transactions processed in FAIMIS.
  • General System: Contains reference data and maintenance tables that form the backbone of FAIMIS.
  • Project Cost Accounting: Allows the client to track project costs incurred, record reimbursable agreements, and distribute project costs to the agreements which are funding the projects, bill customers based upon terms of agreement, and track billing and collection activity against agreements and projects.

2

  • Purchasing: Supports the procurement process by tracking a purchases financial and descriptive information from pre-commitment to funds to a vendor invoice.
  • Fixed Assets: Allows the client to track capitalized and accountable property from acquisition to disposal, including asset depreciation (however, this module has not been configured for use at the NRC).
  • Travel Accounting: Allows the client to track and account for travel orders, advances, and vouchers.
4. What legal authority authorizes the purchase or development of this system?

Section 6109 of IRS Tax Code and the Debt Collection Improvement Act authorizes the NRC to collect information on individuals, vendors, and licensees.

5. What is the purpose of the system and the data to be collected?
  • To comply with Federal laws and regulations for financial and proprietary accounting and control, account for NRC budgetary resources, and to facilitate the account payable, account receivable, fixed asset, travel, and financial reporting processes.
  • Issue payments to individuals and contractors for goods and services received, travel, and payroll.
  • Bill and collect nuclear regulatory fees, indemnity fees, civil penalties, and other miscellaneous fees and charges.
  • Bill and collect for reimbursable work performed by the NRC.
  • The IRS requires 1099 forms sent to vendors that are annually paid $600 or more. Complete TIN information is required for this process.
  • Office of Personnel Management retirement and personnel requirements.
6. Points of

Contact:

Project Manager Office/Division/Branch Telephone Jeffrey Sheldon OCFO/DOC/FSB 301-415-5743 Business Project Manager Office/Division/Branch Telephone Carl Fredericks OCFO/DOC/ARB 301-415-6285 Executive Sponsor Office/Division/Branch Telephone Gordon Peterson OCFO/DOC 301-415-7348 3

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. New System X Modify Existing System Other (Explain)
b. If modifying an existing system, has a PIA been prepared before?

Yes (1) If yes, provide the date approved and ADAMS accession number.

Date: May 30, 2012, ADAMS # ML12144A106 (2) If yes, provide a summary of modifications to the existing system.

FAIMIS was previously authorized as a separate system and now it is incorporated into the FMS FISMA boundary as a subsystem.

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS
a. Does this system maintain information about individuals?

Yes (1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public).

Individuals include Federal employees, Federal contractors, commercial vendors, invitational travel recipients, and licensees.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific)?

FAIMIS maintains names, taxpayer identification numbers (TIN), Social Security numbers (SSN), addresses, and bank account/routing numbers.

c. Is information being collected from the subject individual?

Yes (1) If yes, what information is being collected?

4

Name, TIN, SSN, address, and bank account/routing number.

d. Will the information be collected from 10 or more individuals who are not Federal employees?

Yes (1) If yes, does the information collection have OMB approval?

Yes (a) If yes, indicate the OMB approval number:

The OMB approval number is 3150-0188.

e. Is the information being collected from existing NRC files, databases, or systems?

Yes (1) If yes, identify the files/databases/systems and the information being collected.

Information for employees is collected from the Human Resource Management System (HRMS). Information for invitational travel recipients is collected from the e-Travel system. Licensee information is collected from the General License Tracking System (GLTS) and Web Based Licensing System (WBL). License fee billing business function information is collected from Master Data Management System (MDMS). Labor costing string is collected from Cost Activity Code System (CACS).

f. Is the information being collected from external sources (any source outside of the NRC)?

Yes (1) If yes, identify the source and what type of information is being collected?

Vendor information (billing information, addresses, and TIN) is collected from the Treasurys System for Award Management (SAM) database.

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

The information from interfacing systems is validated by the source system. Vendor information is refreshed and updated through an interface with the SAM, and notification from vendors.

h. How will the information be collected (e.g. form, data transfer)?

5

For interfacing systems, the information is collected by forms, file transfer, and electronic data interchange. FAIMIS collects this information from the interfacing systems, SAM, IRS Form W-9, e-mail, and telephone communication.

2. INFORMATION NOT ABOUT INDIVIDUALS
a. Will information not about individuals be maintained in this system?

Yes (1) If yes, identify the type of information (be specific).

FAIMIS maintains budgetary funds control and proprietary accounting information pertinent to the agency and information about accounts payable, accounts receivable, fixed assets, license fee classifications, the budgetary and accounting code structure, project codes, vendors and debtors, organization codes (agency departments), and reimbursable agreements.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

The information is collected from both internal and external sources.

Internal sources are financial and procurement documents produced in the course of conducting NRC business and programs, as well as the Budget Formulation System (BFS). External sources include documents from vendors and licensees conducting business with the NRC, funding and authorizing documents from oversight agencies such as the U.S.

Department of the Treasury and the Office of Management and Budget (OMB).

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

The information is used to account for agency budgetary resources; accomplish proprietary accounting; and manage fixed assets, programs, activities, and projects. To pay invoices for goods and services received, bill and collect fees, manage vendor and licensee data, perform general ledger accounting and financial reporting.

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes

3. Who will ensure the proper use of the data in this system?

6

The OCFO in close coordination with the Federal Shared Service Provider, CGI, is responsible for overall operations and management of the system.

Operational configuration and security controls for FAIMIS are set to limit access to information based upon the need to know and least access concepts.

4. Are the data elements described in detail and documented?

Yes, FAIMIS data elements were documented and are included in the data dictionary, System Security Plan (SSP), and training materials, which were developed during the development and configuration of the system.

a. If yes, what is the name of the document that contains this information and where is it located?

The data dictionary, based upon the final configuration of the data elements, is located in the SSP and user guides that were developed prior to implementation. The OCFO will maintain this information electronically, in hard copy, and copies of the documentation will be put into ADAMS.

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No

a. If yes, how will aggregated data be maintained, filed, and utilized?
b. How will aggregated data be validated for relevance and accuracy?
c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?
6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier? (Be specific.)

Yes, FAIMIS provides a reporting/query desktop tool for end-users to access real-time data directly against the data source. Information is also retrieved online by viewing the appropriate table/form. The end-users profile and security configuration limit user access to information.

7. Will this system provide the capability to identify, locate, and monitor (e.g.,

track, observe) individuals?

No

a. If yes, explain.

(1) What controls will be used to prevent unauthorized monitoring?

8. List the report(s) that will be produced from this system.

7

FAIMIS provides reports and a desktop query capability to track and report financial, budgetary, and proprietary information concerning the programs and business conducted by the NRC. FAIMIS also provides a tool to allow authorized users to develop reports and export data as needed to conduct business.

a. What are the reports used for?

Reports and data queries are needed to execute and manage the programs and business of the NRC. They are also used to comply with Federal laws and regulations including external reporting requirements.

b. Who has access to these reports?

Users from each organization have access to view the status of their budgetary resources, programs, activities, and projects. Access restrictions are based on predefined user roles based on position, duties, and information needs. Access is approved by the user's supervisor and FAIMIS System Administrator. The FAIMIS reporting/query tool allows users to develop and run their own reports and queries limited by their original access.

D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

All NRC offices have staff assigned as FAIMIS users.

(1) For what purpose?

These offices have access to enter financial transactions in the system and query the system to conduct business, manage their budgetary resources, and meet proprietary accounting needs.

(2) Will access be limited?

Yes, user accounts are established based on transaction processing and information access needs. User profiles and access are approved by the users immediate supervisor and the FAIMIS System Administrator.

2. Will other NRC systems share data with or have access to the data in the system?

Yes (1) If yes, identify the system(s).

Budget Formulation System (BFS)

Strategic Acquisition System (STAQS)

(2) How will the data be transmitted or disclosed?

8

Data are disclosed through SQL database views.

3. Will external agencies/organizations/public have access to the data in the system?

Yes (1) If yes, who?

Payments users from the Bureau of Fiscal Service will have secure access to FAIMIS for the purpose of managing payment activities. Only approved and explicitly authorized FSB users will have access to FAIMIS, via a secure VPN and FAIMIS login credentials.

(2) Will access be limited?

Yes, only to FSB users via a secure VPN and FAIMIS login credentials who have been granted access.

(3) What data will be accessible and for what purpose/use?

Data related to payment activities (4) How will the data be transmitted or disclosed?

Only approved and explicitly authorized FSB users will have access to FAIMIS, via a secure VPN and FAIMIS login credentials.

E. RECORDS RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and are required under 36 CFR 1234.10. The following questions are intended to determine whether the records in the system have an approved records retention schedule or if one will be needed.

1. Can you map this system to an applicable retention schedule in NUREG-0910, or the General Records Schedules at http://www.archives.gov/records-mgmt/grs ?

Yes

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished. For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to a file for transfer based on their approved disposition?

9

National Archives and Records Administration (NARA) approved retention, N1-431-10-1.

Masterfile:

Temporary: Cut off at the fiscal year and transfer to inactive storage within FAIMIS data storage. Destroy/delete 10 years after cutoff.

Documentation:

Temporary: Destroy 5 years after the project/activity/transaction is completed or superseded, or the associated system is terminated, or the associated data is migrated to a successor system, but longer retention is authorized if required for business use.

b. If the answer to question E.1 is yes, skip to F.1. If the response is no, complete question E.2 through question E.7.
2. If the records cannot be mapped to an approved records retention schedule, how long do you need the records? Please explain.
3. Would these records be of value to another organization or entity at some point in time? Please explain.
4. How are actions taken on the records? For example, is new data added or updated by replacing older data on a daily, weekly, or monthly basis?
5. What is the event or action that will serve as the trigger for updating, deleting, removing, or replacing information in the system? For example, does the information reside in the system for three years after it is created and then is it deleted?
6. Is any part of the record an output, such as a report, or other data placed in ADAMS or stored in any other location, such as a shared drive or MS SharePoint?
7. Does this system allow for the deletion or removal of records no longer needed and how will that be accomplished?

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g.,

passwords).

FAIMIS has the following controls in place for limiting system access:

  • Application level access forms are completed (signed) and sent to the OCFO.
  • The establishment of a new user account is approved by FSB upon receipt of a supervisor approved application form.

10

  • The end-user is required to have a security clearance.
  • The end-user is required to sign the Rules of Behavior.
  • User access levels are determined based on the user's organization profile.
  • The system is secured with the appropriate password protection.
2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

FAIMIS has the following controls in place for limiting system access:

  • Application level access forms are completed (signed) and sent to the OCFO.
  • User access levels are determined based on the user's organization profile.
  • Predefined user profiles are established to provide assurance of separation of duties.
  • System is secured with password protection.
  • Only users with appropriate access levels are able to edit reference data (establishing budgetary and accounting codes and job codes).
  • Establishing a new budgetary and accounting code requires approval from OCFO.
  • Daily, monthly, and end-of-cycle Q/A checks have been developed and put in place.
  • A process for system change requests is in place to maintain documentation of changes.
  • Only a limited subset of users (as defined by their FAIMIS role) have access to sensitive information such as SSN and bank account numbers.

Users without appropriate permission are not allowed to view this information.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes (1) If yes, where?

All system controls including access controls are documented in the FAIMIS System Security Plan (SSP) which is retained in ADAMS. Other documentation 11

supporting specific controls is also maintained in ADAMS and referred to in the SSP.

4. Will the system be accessed or operated at more than one location (site)?

No, FAIMIS users will access the production (cloud) environment located in Sterling, Virginia. As described in the SSP, users access FAIMIS through a secured VPN tunnel from NRC/ITI to Microsoft Azure cloud.

a. If yes, how will consistent use be maintained at all sites?
5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

Pre-defined user groups are established for FAIMIS and all groups have access to the system. This information can be found in the FAIMIS SSP.

6. Will a record of their access to the system be captured?

Yes

a. If yes, what will be collected?

Audit logs and system access records are part of Federal Financial Management System requirements. These requirements have been incorporated into FAIMIS System Requirements Specification (SRS) document as part of FAIMIS business case. FAIMIS captures a record of the User ID with a time and date stamp, table/form or transaction accessed, and action taken. FAIMIS also maintains a record of any batch, report, or interface job run. The Momentum software comprising FAIMIS solution maintains document-based transaction audit history for all financial transactions entered and processed.

7. Will contractors be involved with the design, development, or maintenance of the system?

Yes If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.

  • FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
  • PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

12

8. What auditing measures and technical safeguards are in place to prevent misuse of data?

Audit logs and system access records are part of Federal Financial Management System requirements. These requirements have been incorporated into FAIMIS System Requirements Specification (SRS) document as part of FAIMIS business case. FAIMIS captures a record of the User ID with a time and date stamp, table/form or transaction accessed, and action taken. FAIMIS also maintains a record of any batch, report, or interface job run. The Momentum software comprising the FAIMIS solution maintains document-based transaction audit history for all financial transactions entered and processed.

9. Are the data secured in accordance with FISMA requirements?
a. If yes, when was Certification and Accreditation last completed?

September 9, 2016 13

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMS/ISB Staff)

System Name: Financial Accounting and Integrated Management Information System (FAIMIS)

Submitting Office: Gordon Peterson, Office of the Chief Financial Officer A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

FAIMIS does contain personally identifiable information and is covered under the NRCs Privacy Act System of Records NRC 32, Office of the Chief Financial Officer Financial Transactions and Debt Collection Management Records.

Reviewers Name Title Date Sally A. Hardy Privacy Officer 12/4/2018 B. INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.

X OMB clearance is needed.

X Currently has OMB Clearance. Clearance No. 3150-0188 Comments:

The collection of TINs is covered by the clearance for Form 531 (3150-0188). The collection of information from invitational travelers using the OCFO INVITATIONAL TRAVELER REQUEST FORM is an unapproved information collection. The form also needs to be added to the NRC Forms program and a Privacy Act Statement. Since the collection of information from invitational travelers is part of the eTravel System, the need for a clearance does not impact FAIMIS Reviewers Name Title Date David Cullison Agency Clearance Officer 12/3/18 14

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

Needs to be scheduled.

X Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Date Marna B. Dove Sr. Program Analyst, Electronic Records 11/19/18 Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

/RA/ Date December 6, 2018 Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer 15

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Office of the Chief Financial Officer Name of System: Financial Accounting and Integrated Management Information System (FAIMIS)

Date ISB received PIA for review: Date ISB completed PIA review:

October 10, 2018 December 4, 2018 Noted Issues:

Anna T. McGowan, Chief Signature/Date:

Information Services Branch Governance & Enterprise Management /RA/ December 6, 2018 Services Division Office of the Chief Information Officer Copies of this PIA will be provided to:

Tom Rich, Director IT Services Development & Operation Division Office of the Chief Information Officer Jonathan Feibus Chief Information Security Officer (CISO)

Governance & Enterprise Management Services Division Office of the Chief Information Officer 16