ML21025A267
ML21025A267 | |
Person / Time | |
---|---|
Issue date: | 01/13/2021 |
From: | Tung Truong NRC/OCFO/DOC/FRB |
To: | |
References | |
Download: ML21025A267 (16) | |
Text
U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.
Financial Management System (FMS)
Human Resources Management System Cloud (HRMSC)
Date: January 13, 2021 A. GENERAL SYSTEM INFORMATION
- 1. Provide a detailed description of the system: (Use plain language, no technical terms.)
Human Resources Management System Cloud (HRMSC) captures time, attendance, and labor data. HRMSC leverages the Federal Risk and Authorization Management Program (FedRAMP) authorized Oracle Fusion Cloud, Human Capital Management (HCM) software-as-a-service (SaaS) application. The HCM Time & Labor (T&L) and Absence modules require all employees to be self-reporters and to enter time taken for vacation, sick leave, jury duty, etc. It also tracks monthly leave accrual (vacation and sick hours earned each month vs. hours taken).
HRMSC is a subsystem of the Office of the Chief Financial Officers (OCFO)
Financial Management System (FMS) FISMA boundary. FMS will provide the framework for managing cybersecurity compliance for OCFO financial services and systems used by the U.S. Nuclear Regulatory Commission (NRC). FMS is an umbrella system that consists of subsystems which support mission and business functions that OCFO provides for the agency.
- 2. What agency function does it support? (How will this support the U.S.
Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))
HRMSC supports recording of employee activity-based hours to be used primarily for payroll and fee billing.
- 3. Describe any modules or subsystems, where relevant, and their functions.
Time and Labor - NRC employees can report, manage, and process time using the Time and Labor module. Time data can be transferred to global payroll, project costing, and external applications.
Absence Management - NRC employees can schedule and approve absences, maintain absences, and analyze absence data using Absence Management.
PIA Template (01-2021) 1
- 4. What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)
26 Code of Federation Regulations (CFR) 31.6011(b)(2), 31.6109-1; 5 United States Code (U.S.C.) 6334; 5 U.S.C. Part III, Subpart D; 31 U.S.C. 716; 31 U.S.C. Chapters 35 and 37.
- 5. What is the purpose of the system and the data to be collected?
The purpose is to collect time and attendance data for payroll processing; formulating and executing budgets, operations planning, workload planning, labor data reporting, performance monitoring, reporting on resource expenditures, billing NRC licensees and managing costs associated with collecting fees.
- 6. Points of
Contact:
(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)
Project Manager Office/Division/Branch Telephone Sharon Clarkson OCFO/DOC/FSB 301-415-8483 Business Project Manager Office/Division/Branch Telephone Erikka LeGrand OCFO/DOC/FSOB 301-415-7748 Technical Project Manager Office/Division/Branch Telephone Executive Sponsor Office/Division/Branch Telephone ISSO Office/Division/Branch Telephone Tung Truong OCFO/DOC/FSB 301-415-8490 System Owner/User Office/Division/Branch Telephone Cherish K. Johnson OCFO 301-415-7322 PIA Template (01-2021) 2
- 7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
- a. New System X Modify Existing System Other
- b. If modifying or making other updates to an existing system, has a PIA been prepared before?
Yes.
(1) If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.
ADAMS Main Library (ML) ML18305A362.
(2) If yes, provide a summary of modifications or other changes to the existing system.
OCFO is migrating from the on-premise Human Resources Management System PeopleSoft system to the FedRAMP authorized Oracle Fusion Cloud, HCM SaaS solution.
- 8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?
Yes.
- a. If yes, please provide the EA/Inventory number.
20210005.
- b. If, no, please contact EA Service Desk to get the EA/Inventory number.
B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.
PIA Template (01-2021) 3
- 1. INFORMATION ABOUT INDIVIDUALS
- a. Does this system maintain information about individuals?
Yes.
(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).
Federal - NRC employees.
(2) IF NO, SKIP TO QUESTION B.2.
- b. What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?
The information and data maintained in the system is general employee information (first name, last name, SSN), salaries and benefits, leave balances, payroll data, time and attendance data, and activity-based work hours.
- c. Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)
Yes.
(1) If yes, what information is being collected?
The data being collected from individuals includes time and attendance information.
- d. Will the information be collected from individuals who are not Federal employees?
No.
(1) If yes, does the information collection have the Office of Management and Budgets (OMB) approval?
N/A.
(a) If yes, indicate the OMB approval number:
N/A.
PIA Template (01-2021) 4
- e. Is the information being collected from existing NRC files, databases, or systems?
Yes.
(1) If yes, identify the files/databases/systems and the information being collected.
OCFO FMS Budget Formulation System (BFS) - HRMSC transmits employee payroll information to BFS.
OCFO FMS Financial Accounting and Integrated Management Information System (FAIMIS) - HRMSC sends employees hour and payroll data to FAIMIS.
Office of the Chief Information Officer (OCIO) Business Application Support System Cost Activity Code System (CACS) -
Employee staff assignment information.
- f. Is the information being collected from external sources (any source outside of the NRC)?
Yes.
(1) If yes, identify the source and what type of information is being collected?
The source is an American Standard Code for Information Interchange (ASCII) text file from the Department of Interiors (DOI) Federal Payroll and Personnel System (FPPS). The type of information is employee demographics, SSN, salary and benefits, leave balances and payroll.
- g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?
Data is verified through the OCFO reconciliations, Standard Form 52s, and Earnings and Leave statements.
- h. How will the information be collected (e.g. form, data transfer)?
The information is collected through data transfer using the Oracle HCM data loader tool.
- 2. INFORMATION NOT ABOUT INDIVIDUALS
- a. Will information not about individuals be maintained in this system?
Yes.
PIA Template (01-2021) 5
(1) If yes, identify the type of information (be specific).
Activity codes against which employees charged their time, and office designations.
- b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.
The source of this information comes from internal and external systems.
Internal systems include CACS and the external system is DOI FPPS.
The information is transferred via HCM data loader tool.
C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.
- 1. Describe all uses made of the data in this system.
Uses of the data are as follows: data transmissions to DOI for paycheck and leave balances calculations, license fees billings, updates to the agencys core financial system, financial reporting, project management, salary and benefits modeling, cost accounting modeling, and strategic workforce planning.
- 1. Is the use of the data both relevant and necessary for the purpose for which the system is designed?
Yes.
- 2. Who will ensure the proper use of the data in this system?
All NRC employees.
- 3. Are the data elements described in detail and documented?
Yes.
- a. If yes, what is the name of the document that contains this information and where is it located?
HRMSC Data Conversion Strategy.
- 4. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?
Yes.
PIA Template (01-2021) 6
Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.
Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).
- a. If yes, how will aggregated data be maintained, filed, and utilized?
The aggregated data will be maintained in HRMSC. A small subset of this data is also in the NRCs financial and CACS systems and DOIs FPPS. Information is maintained electronically by personnel specialists or payroll operations staff. Hard copy documentation is kept in the employees time and attendance folders. Aggregate information is used to manage labor cost data for the purposes of employee wage and compensation.
- b. How will aggregated data be validated for relevance and accuracy?
To assure data integrity and internal controls, data discrepancy reports have been created. Office of the Chief Human Capital Officer (OCHCO) and OCFO investigate any discrepancies that they discover or that are brought to their attention by employees. Agency policies on information integrity, security, and roles and responsibilities are documented in a series of Management Directives relating to personnel and financial information.
- c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?
Data access is restricted in the HRMSC system based on role and need-to know. Internal agency policies and procedures define controls and protections based on OMB requirements and the National Institute of Standards and Technology guidelines. Controls are audited and tested routinely to assure adequate protections from unauthorized access, use, or modification. The system utilizes user identification number (ID) and password protections and relies on parameter defenses to protect the systems and records.
- 5. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?
(Be specific.)
Data is retrieved by a system-generated employee ID and/or employee last name / first name. Yes.
PIA Template (01-2021) 7
- a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.
Employee identification number.
- 6. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?
Yes.
- a. If Yes, provide name of SORN and location in the Federal Register.
US Federal Government-wide SORN.
- 7. If the information system is being modified, will the SORN(s) require amendment or revision?
No.
- 8. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?
No.
- a. If yes, explain.
N/A.
(1) What controls will be used to prevent unauthorized monitoring?
N.A,
- 9. List the report(s) that will be produced from this system.
HRMSC will produce time and labor related reports. HRMSC can also report on any other data element that is stored in HRSC (via inbound feeds) along with time & attendance data.
- a. What are the reports used for?
The reports are used for OCHCO management, workforce planning, payroll processing and reporting, labor cost reporting, and financial accounting purposes.
- b. Who has access to these reports?
Staff from OCHCO, OCFO, OCIO, and Office-designated T&L Coordinators based on relevance to the functions each office performs.
PIA Template (01-2021) 8
D. ACCESS TO DATA
- 1. Which NRC office(s) will have access to the data in the system?
All NRC Offices have access.
(1) For what purpose?
For employee time entry, approvals, and reporting of activities.
(2) Will access be limited?
Yes, access will be limited based on roles and responsibilities with need-to-know to perform official duties.
- 2. Will other NRC systems share data with or have access to the data in the system?
Yes.
(1) If yes, identify the system(s).
CACS, FAIMIS, FPPS, BFS.
(2) How will the data be transmitted or disclosed?
The data to and from HRMSC will be transmitted to other systems via batch file interfaces.
- 3. Will external agencies/organizations/public have access to the data in the system?
Yes, but no direct system access. Data is shared via ASCII text files.
(1) If yes, who?
DOI and Office of Personnel Management.
(2) Will access be limited?
Yes, access will be limited based on roles and responsibilities with need-to know to perform official duties.
(3) What data will be accessible and for what purpose/use?
Employee name, address, social security number, banking information, salary and time worked. Information is used for employee reporting, payroll, and system maintainability.
PIA Template (01-2021) 9
(4) How will the data be transmitted or disclosed?
The HRMSC data to and from DOI will be transmitted through on-premise NRC server.
E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.
- 1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?
Yes.
- a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).
For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?
PIA Template (01-2021) 10
GRS Title Disposition Instructions 2.4 item 010 Records used to calculate Temporary. Destroy 2 years payroll, arrange paycheck after employee separation or deposit, and change retirement, but longer retention previously issued is authorized if required for paychecks. business use.
2.4 Item 030 Time and attendance Temporary. Destroy after records. Government Accountability Office (GAO) audit or when 3 years old, whichever is sooner.
2.4 Item 040 Agency payroll record for Temporary. Destroy when 56 each pay period. years old.
2.4 Item 050 Wage and tax statements. Temporary. Destroy when 4 years old, but longer retention is authorized if required for business use.
2.4 Item 060 Payroll program Temporary. Destroy when 2 administrative records. years old, but longer retention Administrative is authorized if required for correspondence between business use.
agency and payroll processor, and system reports used for agency workload and or personnel management purposes.
2.4 Item 061 Payroll program Temporary. Destroy when 3 administrative records. years old or after GAO audit, Payroll system reports but longer retention is providing fiscal information authorized if required for on agency payroll. business use.
- b. If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.
F. TECHNICAL ACCESS AND SECURITY
- 1. Describe the security controls used to limit access to the system (e.g., passwords).
HRMSC users will be authenticated through the NRC Information Technology Infrastructure/Identity, Credential, & Access Management Authentication Gateway.
PIA Template (01-2021) 11
- 2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?
Single Sign On will be enabled for application and user access and activity can be monitored by service administrators. Access will be monitored. Audit trails track user access by User ID with date and time stamps and will be periodically reviewed by the assigned Information System Security Officer (ISSO) designees.
- 3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?
Yes.
(1) If yes, where?
Standard Oracle documentation and NRC HRMSC security documentation.
- 4. Will the system be accessed or operated at more than one location (site)?
Yes.
- a. If yes, how will consistent use be maintained at all sites?
The HRMSC will be hosted in the cloud and accessible from the internet.
- 5. Which user groups (e.g., system administrators, project managers, etc.)
have access to the system?
There are several user groups that have access to the system. All employees for time entry are in an Employee group. Timekeepers are in a Timekeeper group.
T&L Coordinators are in the Coordinator group. OCHCO and T&L have their own groups. Payments and Payroll Branch and HRMS Operations and Maintenance team and System administrators are in an all-inclusive access group.
- 6. Will a record of their access to the system be captured?
Yes.
- a. If yes, what will be collected?
Oracle captures user logs/access.
- 7. Will contractors be involved with the design, development, or maintenance of the system?
YES; HRMSC is a SaaS cloud solution; Oracle will be maintaining the cloud infrastructure/servers.
PIA Template (01-2021) 12
If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.
Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.
- 8. What auditing measures and technical safeguards are in place to prevent misuse of data?
Oracle captures access logs.
- 9. Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?
Yes.
- a. If yes, when was Certification and Accreditation last completed?
HRMS Cloud received short-term authorization on December 03, 2020.
PIA Template (01-2021) 13
PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)
System Name: Financial Management System (FMS)
Human Resources Management System Cloud (HRMSC)
Submitting Office: Office of the Chief Financial Officer (OCFO)
A. PRIVACY ACT APPLICABILITY REVIEW Privacy Act is not applicable.
X Privacy Act is applicable.
Comments:
This system contains personally identifiable information. The information is maintained as part of NRCs Privacy Act System of Records NRC-19, Official Personnel Training Records; NRC-21, Payroll Accounting Records; and Government-Wide System of Records OPM/GOVT-1 General Personal Records.
Reviewers Name Title Signed by Hardy, Sally on 02/09/21 Privacy Officer B. INFORMATION COLLECTION APPLICABILITY DETERMINATION X No OMB clearance is needed.
OMB clearance is needed.
Currently has OMB Clearance. Clearance No.
Comments:
The system only collects information from Federal employees.
Reviewers Name Title Signed by Cullison, David on 01/25/21 Agency Clearance Officer PIA Template (01-2021) 14
C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.
Additional information is needed to complete assessment.
Needs to be scheduled.
X Existing records retention and disposition schedule covers the system - no modifications needed.
Comments:
Reviewers Name Title Signed by Dove, Marna Sr. Program Analyst, Electronic Records on 02/09/21 Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE X This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.
This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.
I concur in the Privacy Act, Information Collections, and Records Management reviews:
Signed by Nalabandian, Garo on 02/10/21 Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer PIA Template (01-2021) 15
TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/
PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Cherish K. Johnson, Chief Financial Officer, Office of the Chief Financial Officer (OCFO)
Name of System: Financial Management System (FMS)
Human Resources Management System Cloud (HRMSC)
Date CSB received PIA for review: Date CSB completed PIA review:
January 13, 2021 February 09, 2021 Noted Issues:
Chief Signature/Date:
Cyber Security Branch Governance and Enterprise Management Signed by Nalabandian, Garo Services Division on 02/10/21 Office of the Chief Information Officer Copies of this PIA will be provided to:
Thomas G. Ashley, Jr.
Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO)
Office of the Chief Information Officer PIA Template (01-2021) 16