ML19260E480

From kanterella
Jump to navigation Jump to search
Replacement Reactor Program System RRPS
ML19260E480
Person / Time
Issue date: 11/01/2019
From: Anna Mcgowan
NRC/OCIO
To:
References
Download: ML19260E480 (21)


Text

ADAMS ML19260E480 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Replacement Reactor Program System Date: June 20, 2019 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system:

NRC staff and contractors use the Replacement Reactor Program System (RRPS) for the following activities:

  • to track licensing of reactor operators
  • to plan, schedule, and track power and research test reactors inspections
  • to plan and track workload for facility licensing activities
  • to manage the Reactor Oversight Process, including Human Factors
  • to monitor operational experience and manage operational workload
  • to review and publish event status reports
2. What agency function does it support?

RRPS tracks licensing of operators, provides planning, scheduling and reporting capabilities to support the NRC reactor licensing, inspection and oversight processes.

3. Describe any modules or subsystems, where relevant, and their functions.

Consists of Inspections, Licensing Workload Management, Operatory Licensing, Reactor Oversight, Human Factors and Reactor Operating Experience modules within RRPS.

PIA Template (04-2019) Page 1 of 21

4. What legal authority authorizes the purchase or development of this system?

42 U.S.C. 2201(d), 2201(p) (1996) and 42 U.S.C. 2137 and 2201(i) (1996).

5. What is the purpose of the system and the data to be collected?

Information in these records may be used:

a. To track the status of operator licensing candidates and licensed facility operators.
b. To provide reports and statistical evaluations related to selection, training, examination and licensing of facility operators and partial workload projections.
c. As a project management tool in various management records throughout the NRC.
6. Points of

Contact:

Project Manager Office/Division/Branch Telephone Gayathri Sastry OCIO/COEAB/MAT 301-415-8344 Business Project Manager Office/Division/Branch Telephone Ikeda Betts NRR/DIRS/IOLB 301-415-1065 Marc Ferdas NRR/DIRS/IRIB 301-415-1003 Sam Lee NRR/DORL/LPL3-2/MDAT 301-415-8086 Jason Carneal NRR/DIRS/IOEB 301-415-1451 Dan Merzke NRR/DIRS 301-415-3469 Technical Project Manager Office/Division/Branch Telephone Consuella Debnam (ISSO) OCIO/SDOD/SOB 301-287-0834 Luc Phuong (Alternate ISSO) OCIO/SDOD/SOB 301-415-1103 Backup Technical Project Manager Office/Division/Branch Telephone Indu M Konduri / Melissa Ash OCIO/COEAB/MAT 301-415-8533 Executive Sponsor Office/Division/Branch Telephone Ho Nieh, Director NRR 301-415-1270 ISSO Office/Division/Branch Telephone Consuella Debnam (ISSO) OCIO/SDOD/SOB 301-287-0834 Luc Phuong (Alternate ISSO) OCIO/SDOD/SOB 301-415-1103 System Owner/User Office/Division/Branch Telephone Chris Cowdrey NRR/DIRS/IOLB 301-415-3085 PIA Template (04-2019) Page 2 of 21

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. New System X Modify Existing System Other
b. If modifying or making other updates to an existing system, has a PIA been prepared before?

Yes (1) If yes, provide the date approved and ADAMS accession number.

ML15252A120 (RPS), approved 4/5/2016; ML092390130 (RPS),

approved 2/3/2009; ML052550247 (RPS) approved 8/29/2005; and ML041910525 (OLTS) approved 5/28/2004.

(2) If yes, provide a summary of modifications or other changes to the existing system.

The major modification has been that the Operator Licensing functionality has been deployed in Replacement RPS. This web-based system is capable of being agile and flexible to business needs and processes and helps the agency plan and execute their licensing and inspection mission.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

Yes

a. If yes, please provide Enterprise Architecture (EA)/Inventory number.

20150003

b. If, no, please contact EA Service Desk to get Enterprise Architecture (EA)/Inventory number.

PIA Template (04-2019) Page 3 of 21

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS
a. Does this system maintain information about individuals?

Yes (1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

RRPS maintains information about reactor operator candidates and operator licenses.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific - e.g. SSN, Place of Birth, Name, Address)?

To track licensing of reactor operators, the system maintains applicants/operators name, date of birth, home address, citizenship, military and work history, education, medical information, employer name and address, examination test scores, license type, fitness for duty and violations information.

c. Is information being collected from the subject individual?

Yes (1) If yes, what information is being collected?

Information being collected is name, home address, birth date, citizenship, education, military and employment history, medical information, and employer name and address, examination test scores, license type, fitness for duty and violations information.

PIA Template (04-2019) Page 4 of 21

d. Will the information be collected from individuals who are not Federal employees?

Yes (1) If yes, does the information collection have OMB approval?

Yes (a) If yes, indicate the OMB approval number:

3150-0090 (NRC Form 398); 0024 (NRC Form 396) with additional information covered by 3150-0018 (10 CFR Part 55).

(b) Is the information being collected from existing NRC files, databases, or systems?

No

e. Is the information being collected from existing NRC files, databases, or systems?

Yes (1) If yes, identify the files/databases/systems and the information being collected.

The candidate/operator provides information to the NRC that has been certified by an authorized representative of the facility licensee as required, by 10 CFR Part 55 on NRC Form 398 (10 CFR Part 55.31(4) Personal Qualification Statement-Licensee, and NRC Form 396 (10 CFR 55.23) Certification of Medical Examination.

f. Is the information being collected from external sources (any source outside of the NRC)?

Yes (1) If yes, identify the source and what type of information is being collected?

PIA Template (04-2019) Page 5 of 21

The facility and the employee together supply the requested information as named in 1c(1). The employee and the facility managers must certify as to the accuracy of the information.

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

Collected information is certified by facility management before it is submitted. NRC audits a sample of applications.

h. How will the information be collected (e.g. form, data transfer)?

Operator licensing information is collected by hard copy or electronically transferred forms and letters.

2. INFORMATION NOT ABOUT INDIVIDUALS
a. Will information not about individuals be maintained in this system?

Yes (1) If yes, identify the type of information (be specific).

Planning, scheduling, inspecting and reporting for facility licensees is maintained by the system.

Workload records related to licensing and inspecting facility licensees are also maintained.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

Facility licensee licensing and inspection activity is a workload plan developed internally by staff and entered into RRPS.

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

The system data is used to produce operator licensing status reports, inspection reports, safety evaluation reports, and performance/action matrix reports.

PIA Template (04-2019) Page 6 of 21

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes

3. Who will ensure the proper use of the data in this system?

RRPS employs an access control mechanism that regulates access to content based on the users role and the permissions associated with that role (e.g.,

such as view, create, or modify).

4. Are the data elements described in detail and documented?

Yes

a. If yes, what is the name of the document that contains this information and where is it located?

The data elements are documented in the RRPS Security Categorization and database design documents located in the project repository and ADAMS.

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No, the derived or aggregation of data occurs outside of the system.

a. If yes, how will aggregated data be maintained, filed, and utilized?

N/A

b. How will aggregated data be validated for relevance and accuracy?

N/A

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

N/A

6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)? (Be specific.)

PIA Template (04-2019) Page 7 of 21

Yes

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

Operator licensing records are retrieved by name and docket number.

All other records are retrieved by name, docket or report number.

7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

Yes

a. If Yes, provide name of SORN and location in the Federal Register.

System NRC-16 Facility Operator Licensees Record Files (10 CFR Part 55), republished in the Federal Register Vol. 81, No. 222 on Thursday, November 17, 2016.

8. If the information system is being modified, will the SORN(s) require amendment or revision?

No

9. Will this system provide the capability to identify, locate, and monitor (e.g.,

track, observe) individuals?

Yes, for operator licensing only.

a. If yes, explain.

Operator licensing records are retrieved by name and docket number.

All other records are retrieved by name, docket and report number.

PIA Template (04-2019) Page 8 of 21

(1) What controls will be used to prevent unauthorized monitoring?

The security controls recommended by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, are applied to RRPS to prevent the misuse of information.

Access to specific information is restricted to only individuals and/or user groups who have a need to know and have authorized access.

10. List the report(s) that will be produced from this system.

The following reports may be produced, but not limited to:

  • Examination of Grade Average
  • Activity Report
  • Exam Information
  • Quarterly/Activity Status
  • Medical Report
  • Active Operators Count
  • Active Applications
  • Licenses Due Within 60 Days
  • 3 Month, 6 Month and 1 Year Restriction
  • License Restriction
  • Number of Anticipated Renewals
  • Renewal Tracking Report
  • Proposed Denials/Appeals Status
  • Waiver Tracking Report
  • Expired Licenses Report
  • Amended Licenses Tracking Report
  • Inspection Activity Plan
  • Inspection Schedules
  • Reactor Oversight
  • Reactor Events
  • Inspection Reports
  • Licensing Milestone Report PIA Template (04-2019) Page 9 of 21
a. What are the reports used for?

The reports are used for tracking licensing of operators, planning, scheduling, reporting, and analyzing inspection and facility licensing activities at nuclear power and research and test reactor facilities in the United States. They are used to monitor implementation of the policy and inspection guidance for programs assigned to the NRC headquarters and regional offices, and to assess the effectiveness and uniformity of agency-wide implementation of those programs.

b. Who has access to these reports?

Only Authorized users of RRPS have access to the reports.

D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

Office of Nuclear Reactor Regulation (NRR), Office of Nuclear Material Safety and Safeguards (NMSS), Office of Nuclear Security and Incident Response (NSIR), Region I, Region II, Region III, and Region IV. NMSS is included for ISFSI/Fuel Cycle and NSIR for security inspections.

Operator licensing data, access is limited to NRR and Regional Operator Licensing staff only.

Workload data access is defined by system roles.

(1) For what purpose?

To track licensing of reactor operators; to plan, schedule, and track power and research test reactors inspections; plan and track workload for facility licensing activities; manage the Reactor Oversight Process, including Human Factors; monitor operational experience and manage operational workload; and review and publish event status reports.

(2) Will access be limited?

Yes, for only those who have a need to know.

PIA Template (04-2019) Page 10 of 21

2. Will other NRC systems share data with or have access to the data in the system?

Yes (1) If yes, identify the system(s).

Cost Activity Code System (CACS), ADAMS, and the Enterprise Project Management (EPM) data warehouse have interfaces with RRPS.

(2) How will the data be transmitted or disclosed?

RRPS requests and updates inspection and facility licensing Enterprise Project Identifiers (EPIDs) from CACS via API; shares inspection and licensing accession numbers and meta data with ADAMS via hyperlink and API; and shares relevant inspection and licensing data with the EPM data warehouse via data view.

3. Will external agencies/organizations/public have access to the data in the system?

No (1) If yes, who?

N/A (2) Will access be limited?

N/A (3) What data will be accessible and for what purpose/use?

N/A (4) How will the data be transmitted or disclosed?

N/A PIA Template (04-2019) Page 11 of 21

E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 U.S.C., 36 CFR). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management (RIM) and NARAs Universal Electronic Records Management (ERM) requirements, and if a strategy is needed to ensure compliance.

Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule(NUREG-0910), or NARAs General Records Schedules?

Previously, the RPS retention schedule, N1-431-08-18, was approved by NARA on 2/3/09, ML092390130; however, the current PIA provides for additional functionality that was not present in the previously approved Legacy RPS. Based on the previous retention schedule for RPS, approved 2/3/2009, the input information did not need to be approved by the archivist. The instructions stated that once the input was entered and verified, the records could be destroyed in accordance with appropriated approved schedule.

  • Therefore, once the input information is entered RRPS, use GRS 5.2 item 020 -

Intermediary records (input source) for their disposition - see E.a below.

In addition, some records in the system are scheduled as shown in E.a, and some may need to be scheduled as they may not follow under a current GRS; therefore, NRC records personnel will need to work with staff to develop a records retention and disposition schedule for records created or maintained. Until the approval of such schedule, these records and information are Permanent. Their willful disposal or concealment (and related offenses) is punishable by fine or imprisonment, according to 18 U.S.C., Chapter 101, and Section 2071. Implementation of retention schedules is mandatory under 44 U.S. 3303a (d), and although this does not prevent further development of the project, retention functionality or a manual process must be incorporated to meet this requirement.

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

PIA Template (04-2019) Page 12 of 21

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

Inputs:

GRS 5.2 item 020 - Intermediary records (input source) (See GRS for description of types of Input Disposition:

Temporary.

Destroy upon verification of successful creation of the final document or file, or when no longer needed for business use, whichever is later.

DAA-GRS¬2017-0003¬0002 Master File: information maintained in the system a) Licensee Information b) Operator Information c) Inspection Information d) Workload Information Disposition: (using the previously approved instruction)

Temporary.

Maintain the information in RRPS for as long as NRC administers the licensing and inspection of the power plant facilities.

Cut off information in the tables when the function is terminated or RRPS is decommissioned.

Transfer the information to the successor system and delete/destroy the RRPS tables 1 year after cutoff.

Outputs:

Reports. Temporary. Cut off and destroy when no longer needed for business use.

PIA Template (04-2019) Page 13 of 21

10 CFR Part 55 Docket Files - NUREG 0910 2.18.6.a - Temporary. Cut off files upon latest license expiration/revocation/termination, application denial or withdrawal, or issuance of denial letter. Destroy when 10 years old.

Examination Package - NUREG 0910 2.18.6.b - Temporary. Cut off file upon receipt of the facilitys next exam. Destroy 4 years after cutoff.

General Correspondence - NUREG 0910 2.18.6.c - Cut off at close of fiscal year.

Destroy when 10 years old.

b. If no, please contact the Records and Information Management (RIM) staff at ITIMPolicy.Resource@nrc.gov.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g.,

passwords).

Application users are authenticated using Integrated Windows Authentication, in accordance with the NRC Identity, Credential, and Access Management (ICAM)

Authentication Framework. The application provides a single sign on experience that allows Active Directory to verify if a user should have access. This is coupled with a second layer of security that verifies that the user has an active role within the application granting permission to perform specific tasks.

Roles control the data a user may see, the actions they may take, and are assigned and maintained within the application by application administrators.

RRPS users are authenticated through the Integrated Windows Authentication with Kerberos for authentication security, in accordance with the NRC Identity, Credential, and Access Management (ICAM) Authentication Framework

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

The security controls recommended by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, are applied to RRPS to prevent the misuse of information. Access to specific information is restricted to only individuals and/or user groups who have a need to know and have authorized access.

PIA Template (04-2019) Page 14 of 21

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Each RRPS module has specific user defined roles that control what each user has access to in the system:

RRPS-OL

  • RRPS-OL Administrator: Has permissions to view and edit all dockets in RRPS-OL; and has the ability to create and change user roles.
  • RRPS-OL Branch Chief: Has permissions to generate and be connected to letters; and has permissions to view RRPS-OL.
  • RRPS-OL Examiner: Has permissions to view only in RRPS-OL.
  • RRPS-OL OLA: Has permissions to view all dockets in RRPS-OL and edit any dockets in their region. If an applicant is changing regions, the OLA will be prompted that they are creating an application for a user in a different region and ask them if this is what they want to do.
  • RRPS-OL Viewer: Has permissions to view only in RRPS-OL.

RRPS-Licensing

  • RRPS-Licensing Project Manager: Has permissions to generate and edit projects in their branch; and has view only permissions to all other projects.
  • RRPS-Licensing Branch Chief: Has permissions to designate staff to projects that they have been assigned; and has view only permissions to all other projects.
  • RRPS-Licensing Technical Reviewer: Has permissions to comment and edit milestones for projects that they have been assigned; and has view only permissions to all other projects.
  • RRPS-Licensing Administrator: Has permissions to create, view, and edit all projects in the system; and has the ability to create and change user roles.
  • RPS-Licensing Escalation Executive: Has view only permissions to all projects.
  • RPS-Licensing Licensing Assistant: Has permissions to view all dockets in RRPS-OL and edit any dockets in their region. If an applicant is changing regions, the OLA will be prompted that they are creating an application for a user in a different region and ask them if this is what they want to do.

PIA Template (04-2019) Page 15 of 21

RRPS-Inspections

  • RRPS-Inspections Admin User: Has the ability to create and change user roles.
  • RRPS-Inspections Administrator: Has full access to the Calendar, Sites, and RRPS Reports tabs; and has the capability to decertify inspection reports.
  • RRPS-Inspections IP Management User: Has full access to the IP Management and RRPS Reports tabs.
  • RRPS-Inspections Read Only User: Has view only access to the Calendar and Sites tabs, and full access to the RRPS Reports tab.
  • RRPS-Inspections Report User: Has full access to the Inspection Reports and RRPS Reports tabs.
  • RRPS-Inspections Super User: Has full access to the Calendar, Sites, RRPS Reports, Inspection Reports, IP Management, and Administrator tabs; and has the capability to decertify inspection reports.
  • RRPS-Inspections User: Has full access to the Calendar, Sites, and RRPS Reports tabs; and has the ability to create inspection report numbers, close, and certify them. This role will not be able to decertify (this is the Inspections Administrator role), modify, cancel, or manage inspection reports (this is the Inspections Report User role). Additional roles will need to be added for access to those functions.
  • RRPS-Inspections Branch Chief User: Has the ability to Certify and Decertify results, Inspections, and Inspection Reports.
  • RRPS-Inspections Approvals Tab Viewer: Has view rights to the approvals tab. Cannot approve or delete staff assignments or EPID requests.
  • RRPS-Inspections Report Generation Admin User: Has access to the Auto Report Generation tab and can edit the template and scope/ghost text.

RRPS-Oversight

  • RRPS-Oversight Administrator: Has full access to all sub-modules and tabs within the Oversight application; and has the ability to create and change user roles.
  • RRPS-Oversight ROE: Has full access to the Reactor Operating Events sub-module.
  • RRPS-Oversight HFIS: Has full access to the Human Factor Information System sub-module.

PIA Template (04-2019) Page 16 of 21

  • RRPS-Oversight TRG: Has full access to the Reactor Operating Events sub-module.
  • RRPS-Oversight Reports: Has full access to Reports tab.
  • RRPS-Oversight HFCoding: Has full access to HFIS Coding tab.
  • RRPS-Oversight HOO: Has full access to HOO Data Upload Tab.

(1) If yes, where?

ADAMS

4. Will the system be accessed or operated at more than one location (site)?

Yes, the system will be accessed by the NRC Program Office (HQ), Regional Offices, and through agency approved methods (e.g., VPN, Citrix, mobility platforms). The system is operated at the Data Center in US-NRC.

a. If yes, how will consistent use be maintained at all sites?

The system is centrally located and is accessible via the intranet.

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

RRPS roles and access are listed in question F3.

6. Will a record of their access to the system be captured?

Yes

a. If yes, what will be collected?

The application is not tracking access requests directly. RRPS utilizes windows authentication and the server logs a users LANID for each attempt to access the system.

7. Will contractors be involved with the design, development, or maintenance of the system?

Yes

8. What auditing measures and technical safeguards are in place to prevent misuse of data?

PIA Template (04-2019) Page 17 of 21

The security controls recommended by NIST SP 800-53 are implemented in RRPS to prevent misuse of the data. Splunk is in place in the data center for auditing purposes.

9. Is the data secured in accordance with FISMA requirements?

Yes

a. If yes, when was Certification and Accreditation last completed?

RRPS is a subsystem of the Business Application Support System (BASS) system. The BASS system received an Authority to Operate (ATO) on January 7, 2016 (ML15309A762),

PIA Template (04-2019) Page 18 of 21

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMS/ISB Staff)

System Name: Replacement Reactor Program System Submitting Office: Office of the Chief Information Officer A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.

X Privacy Act is applicable.

Comments:

Covered by NRC -16, Facility Operator Licensees Record Files (10 CFR Part 55)

Reviewers Name Title Date Sally A. Hardy Privacy Officer 10/29/2019 B. INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.

OMB clearance is needed.

X Currently has OMB Clearance. Clearance No. 3150-0090 (NRC Form 398); 0024 (NRC Form 396) and 3150-0018 (10 CFR Part 55).

Comments:

Reviewers Name Title Date David Cullison Agency Clearance Officer 10/16/19 PIA Template (04-2019) Page 19 of 21

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

X Additional information is needed to complete assessment.

Needs to be scheduled.

Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Date Marna B. Dove Sr. Program Analyst, Electronic Records Manager 10/28/19 D. BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

/RA/ Date: November 1, 2019 Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer PIA Template (04-2019) Page 20 of 21

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Ho Nieh, Director, NRR Name of System: Replacement Reactor Program System Date ISB received PIA for review: Date ISB completed PIA review:

September 17, 2019 October 29, 2019 Noted Issues:

NRC -16, Facility Operator Licensees Record Files (10 CFR Part 55)

Anna T. McGowan, Chief Signature/Date:

Information Services Branch Governance & Enterprise Management

/RA/ November 1, 2019 Services Division Office of the Chief Information Officer Copies of this PIA will be provided to:

Thomas Ashley, Director IT Services Development & Operation Division Office of the Chief Information Officer Jonathan Feibus Chief Information Security Officer (CISO)

Governance & Enterprise Management Office of the Chief Information Officer PIA Template (04-2019) Page 21 of 21