ML21152A182
| ML21152A182 | |
| Person / Time | |
|---|---|
| Issue date: | 05/21/2021 |
| From: | NRC/OCIO |
| To: | |
| Kristobek R | |
| References | |
| Download: ML21152A182 (19) | |
Text
PIA Template (03-2021) U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.
Web-Based Licensing (WBL)
Integrated Source Management Portfolio (ISMP)
Date: May 21, 2021 A.
GENERAL SYSTEM INFORMATION 1.
Provide a detailed description of the system: (Use plain language, no technical terms.)
The Integrated Source Management Portfolio (ISMP) Web Based Licensing (WBL) resident application is a web-based Information Technology (IT) application that enables the U.S. Nuclear Regulatory Commission (NRC) to collect and manage nuclear materials licensing and inspection information. WBL is used by the NRC and some Agreement States to manage information about the licensing of nuclear materials, to provide timely responses to information queries, to track license applications and milestones, to review licenses, to track inspections and to provide license information to other NRC organizational units.
WBL replaced two aging legacy systems, the License Tracking System (LTS) and the Inspection Planning System (IPS).
2.
What agency function does it support? (How will this support the U.S.
Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))
Primarily, WBL supports the Materials Users Licensing and Inspection Program.
It also supports the Office of the Chief Financial Officer (OCFO) Financial Accounting and Integrated Management Information System (FAIMIS) by supplying license fee and billing information.
3.
Describe any modules or subsystems, where relevant, and their functions.
N/A.
4.
What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)
Title VI - Nuclear Matters, Sub-Title D - Nuclear Security, of the Energy Policy Act of 2005.
PIA Template (03-2021) 5.
What is the purpose of the system and the data to be collected?
WBL is used by the NRC and some Agreement States to manage information about the licensing of nuclear materials, to provide timely responses to information queries, to track license applications and milestones, to review licenses, to track inspections and to provide license information to other NRC organizational units.
6.
Points of
Contact:
(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)
Project Manager Office/Division/Branch Telephone Joel Bristor NMSS/PMDA 301-415-0299 Business Project Manager Office/Division/Branch Telephone Adelaide Giantelli NMSS/MSST/SMPB 301-415-3521 Technical Project Manager Office/Division/Branch Telephone Joel Bristor NMSS/PMDA 301-415-0299 Executive Sponsor Office/Division/Branch Telephone John W. Lubinski NMSS 301-415-5975 ISSO Office/Division/Branch Telephone Rich Kristobek NMSS/PMDA 301-415-5638 System Owner/User Office/Division/Branch Telephone John W. Lubinski NMSS 301-415-5975 7.
Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a.
New System Modify Existing System X Other
PIA Template (03-2021) b.
If modifying or making other updates to an existing system, has a PIA been prepared before?
The application is not being modified at this time, just updating the PIA.
(1)
If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.
June 8, 2017, ML17094A384.
(2)
If yes, provide a summary of modifications or other changes to the existing system.
Just updating information elements in the PIA.
8.
Do you have an NRC system Enterprise Architecture (EA)/Inventory number?
Yes.
a.
If yes, please provide the EA/Inventory number.
Enterprise Architecture Number - 20040033.
- b. If, no, please contact EA Service Desk to get the EA/Inventory number.
B.
INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.
1.
INFORMATION ABOUT INDIVIDUALS a.
Does this system maintain information about individuals?
Yes.
(1)
If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).
Individuals may be Federal employees, Agreement State employees or licensees.
(2)
IF NO, SKIP TO QUESTION B.2.
PIA Template (03-2021) b.
What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?
Licensees:
Name, job title, business telephone and fax number, and business email address of licensee contacts and Radiation Safety Officers (RSO).
Name and job title of authorized users of byproduct/source materials.
Federal (NRC) OR Agreement State employees:
Names of inspectors.
c.
Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)
No, the information is not collected directly from the individuals. The business applying for a materials license submits an application, which includes the information.
(1)
If yes, what information is being collected?
N/A.
d.
Will the information be collected from individuals who are not Federal employees?
Yes.
(1)
If yes, does the information collection have the Office of Management and Budgets (OMB) approval?
Yes.
(a)
If yes, indicate the OMB approval number:
OMB clearance No. 3150-0120 provides authority to the NRC for NRC Form 313 Application for Materials License, which covers the base data elements needed for the license application.
e.
Is the information being collected from existing NRC files, databases, or systems?
No.
PIA Template (03-2021) (1)
If yes, identify the files/databases/systems and the information being collected.
N/A.
f.
Is the information being collected from external sources (any source outside of the NRC)?
Yes - businesses applying for materials licenses.
(1)
If yes, identify the source and what type of information is being collected?
Licensee applicants must submit an application via the NRC Form 313 which includes the business information of the applicant as well as contact information for authorized users of byproducts/source materials, and the RSO.
g.
How will information not collected directly from the subject individual be verified as current, accurate, and complete?
This information is verified during the business process of reviewing licensee applications, which is conducted by the Office of Nuclear Material Safety and Safeguards (NMSS).
h.
How will the information be collected (e.g. form, data transfer)?
Applicants send the information via the materials license application paper form (NRC Form 313).
2.
INFORMATION NOT ABOUT INDIVIDUALS a.
Will information not about individuals be maintained in this system?
Yes.
(1)
If yes, identify the type of information (be specific).
Licensee information:
Licensee organization name, organization address and organization phone number; License Information:
License number, material type, possession limit, places of use, license applications, status, docket number, primary and secondary program codes, action types, milestones, and milestone dates;
PIA Template (03-2021) Fee categories:
Fee Category, Inspection Fee, New License Fee, Renewal License Fee, New License Annual Fee, Renewal License Annual Fee, Amendment License Fee, Small Amendment Fee; Inspection information:
Priority; inspection dates; status of inspection.
b.
What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.
The information comes from the license application (NRC Form 313) and from NRC (reviewers in each Region and Headquarters (HQ)).
C.
USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.
1.
Describe all uses made of the data in this system.
To track radioactive materials licensing and inspection (e.g. applications status, payment, inspections, and usage). The information related to fee billing is used by OCFO for issuing invoices, refunds, and collections.
2.
Is the use of the data both relevant and necessary for the purpose for which the system is designed?
Yes.
3.
Who will ensure the proper use of the data in this system?
NMSS, OCFO and the Office of the Chief Information Officer (OCIO).
4.
Are the data elements described in detail and documented?
Yes.
a.
If yes, what is the name of the document that contains this information and where is it located?
The Web-based Licensing Data Dictionary is available in BitBucket under Integrated Source Management Portfolio in the ISMP_Int/DB repository.
BitBucket is the NRCs official source code repository tool.
PIA Template (03-2021) 5.
Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?
No.
Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.
Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).
a.
If yes, how will aggregated data be maintained, filed, and utilized?
N/A.
b.
How will aggregated data be validated for relevance and accuracy?
N/A.
c.
If data are consolidated, what controls protect it from unauthorized access, use, or modification?
N/A.
6.
How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?
(Be specific.)
A WBL user can access information via queries and screen look ups in the WBL application. Queries will be keyed on a variety of Licensee Company, license, and inspection information elements. This includes the ability to search for a license by the RSO name, License Contact name, Authorized User name, and to search an inspection by the lead inspectors name. There may be a need to search by the individuals name (first or last name) if there is any question as to whether or not that person is named as the RSO on any other licenses that are active or might have been terminated. Inspectors may need to search for those licenses that they have inspected or are assigned to inspect. Information returned will be specific to the licenses not information about the individuals.
a.
If yes, explain, and list the identifiers that will be used to retrieve information on the individual.
RSO name, License Contact name, Authorized User name, and to search an inspection by the lead inspectors name. There may be a need to search by the individuals name (first or last name) if there is any question as to whether or not that person is named as the RSO on any other licenses that are active or might have been terminated.
PIA Template (03-2021) 7.
Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?
N/A.
a.
If Yes, provide name of SORN and location in the Federal Register.
N/A.
8.
If the information system is being modified, will the SORN(s) require amendment or revision?
The WBL application is not being modified at this time, there should not be a need to modify the SORN.
9.
Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?
No.
a.
If yes, explain.
N/A.
(1)
What controls will be used to prevent unauthorized monitoring?
N/A.
10.
List the report(s) that will be produced from this system.
The following are reports that are generated from WBL: Reviewer Report; Office Report; Report of Actions Completed; Active NRC Licenses in Each Region by Program Code; Actions Past Tickler; Fiscal YTD Report; Pending Assigned Actions; Actions Assigned to Region/HQ; Expired; License Within 90 Days of Expiration Date; Pending Actions over 60 Days - Summary; License Fee Worksheet; Actions Completed by Program Code - Monthly; Days Since Report for Pending Items; and ad hoc reports (upon specific request).
NOTE: While not characterized as a report WBL routinely sends a data file specific to license actions (newly issued licenses, amendments to existing licenses, fee code or billing address changes, etc.) to FAIMIS. The data in this file is used to support the billing process (see response D.2 (1) below).
a.
What are the reports used for?
Used to track applications, inspections, performance metrics, action types, and other activities pertaining to license applications.
PIA Template (03-2021) b.
Who has access to these reports?
Authorized WBL users.
D.
ACCESS TO DATA 1.
Which NRC office(s) will have access to the data in the system?
NMSS, OCFO and the Regional Offices.
(1)
For what purpose?
OCFO users access WBL for Part 171 billing purposes - applying and verifying fee codes and billing information. Regarding the billing related information, only the OCFO Fee Analyst role will have access to view and enter the information.
All other authorized WBL users access reports to track applications, inspections, performance metrics, action types, and other activities pertaining to license applications.
(2)
Will access be limited?
Yes, access to WBL is restricted to users approved by NMSS or Agreement State representatives and within those groups by specifically assigned roles.
2.
Will other NRC systems share data with or have access to the data in the system?
Yes.
(1)
If yes, identify the system(s).
WBL licensee/license information will be shared with:
NRC FAIMIS System - The requirements for data sharing between WBL and FAIMIS are for the purpose of transferring NRC materials license data from WBL to FAIMIS in order to support the billing functionality within FAIMIS. WBL generates a file of license information on a nightly basis and transfers it to FAIMIS for import into its billing process. The license data elements provided are license number, fee category, contact and address information (basic docket and licensing information and the fee categories that apply to a given license).
PIA Template (03-2021)
NRC Reactor Program System (RPS) Agency Docket table - The requirements for data sharing between WBL and RPS are for the purpose of transferring NRC materials license and docket information from WBL to RPS for inclusion in NRCs central repository of docket information. WBL generates a file of license and docket information on a nightly basis and transfers it to RPS for import into its Docket Table. WBL provides RPS materials license and docket data elements (e.g. license number, docket number, contact and address information) needed for inclusion in NRCs central repository of docket information.
NRC National Source Tracking System (NSTS) - The requirements for data sharing between WBL and NSTS are for the purpose of providing WBLs license information (only on licenses authorized to have Category 1 and/or Category 2 sources) as an input to the NSTS.
WBL sends the licensing information as an export file. The license data elements provided include (Action type - Add, Update, or Delete, Licensing Agency, License Number, Docket Number (NRC Licenses only), Licensee Name, License Category, Primary Program Code, Street Address: Line1, Line2, City, State, Zip, Mailing Address: Line1, Line2, City, State, Zip, Company Phone, Company Fax, One or more Locations).
NRC License Verification System (LVS) - The requirements for data sharing between WBL and LVS are for the purpose of providing accurate license information (possibly including an image of the actual license) to LVS users during the license verification process. WBL is the authoritative source for license information. During the LVS verification process, WBL receives license and materials possession limit requests through an automated system interface from LVS.
Upon receipt of the query, WBL responds by providing license and maximum material possession limit information as available from the database. The data provided to LVS includes Licensing Agency, License Number, Licensee Name, Street Address: Line1, Line2, City, State, Zip, One or more Locations, Temporary Job site flag, One or more Possession Limits with the following elements: Material Type, converted Material Quantity (in Curies), Graphical image file of actual License, License Corrected Copy flag, Data Sensitivity flag, Category 2 Authorized flag.
NRC Agencywide Documents Access and Management System (ADAMS) - The requirements for data sharing between WBL and ADAMS is in order to allow WBL to programmatically call ADAMS and send a document and accompanying profile to ADAMS. It is expected that ADAMS will return the generated accession number back to WBL. The purpose is to ensure that the official license coming out of the WBL process and any supporting documentation that the license applicant has submitted is posted to the official NRC records.
PIA Template (03-2021) (2)
How will the data be transmitted or disclosed?
Data is transmitted electronically via system to system programmatic interfaces.
3.
Will external agencies/organizations/public have access to the data in the system?
Yes.
(1)
If yes, who?
Authorized Agreement State (AS) Agency personnel; Authorized NRC Licensee personnel; and Authorized AS Licensee personnel (2)
Will access be limited?
Yes.
(3)
What data will be accessible and for what purpose/use?
Authorized Agreement State Agency personnel are able to use WBL to track only licenses and inspections specific to their State and are able to view all agencies licenses for license verification purposes.
Authorized Licensee personnel (NRC and AS) are able to submit license applications and can check the status of only their own license applications.
(4)
How will the data be transmitted or disclosed?
Via WBL online web interface.
E.
RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and
PIA Template (03-2021) Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.
1)
Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?
Yes.
- Some records and data may not have an associated retention policy established below. If so, NRC records personnel will need to work with staff to develop a records retention and disposition schedule for records created or maintained.
Until the approval of such schedule, these records and information are Permanent. Their willful disposal or concealment (and related offenses) is punishable by fine or imprisonment, according to 18 U.S.C., Chapter 101, and Section 2071. Implementation of retention schedules is mandatory under 44 U.S. 3303a (d), and although this does not prevent further development of the project, retention functionality or a manual process must be incorporated to meet this requirement.
a.
If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).
For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?
Record Schedule Disposition Licensing Tracking System (LTS) and Web-Based Licensing (WBL)
N1-431-08-12 Temporary. Cut off license information when the license or certificate is terminated and mark the license as Terminated.
Delete/destroy the license information 20 years after cutoff and when no longer required for business reasons.
Financial Accounting and Integrated Management Information System (FAIMIS)
N1-431-10-001 Temporary. Cut off at the end of the fiscal year and transfer to inactive storage within FAIMIS data storage. Delete/destroy 10 years after cutoff.
PIA Template (03-2021) Reactor Program System (RPS)
N1-431-08-18 Temporary. Maintain the information in the RPS tables for as long as the NRC administers the licensing and inspection of Nuclear Power Plant Facilities.
Cutoff when the function is terminated or RPS is decommissioned. Transfer the information to the successor system and delete/destroy the RPS tables 1 year after cut off.
If any additional records or data are permanent according to NUREG 0910, see *note above under E1).
Fee and fine collection.
Copies used for administrative or reference purposes.
GRS 1.1 item 011 Temporary. Destroy when business use ceases.
Form 313 - Application for Materials License GRS 5.2 item 020 Temporary. Destroy upon verification of successful creation of the final document or file, or when no longer needed for business use, whichever is later.
Fee Determination Background Files NUREG 0910 rev 4, Part 5 item 4. a Temporary. Cut off at close of fiscal year. Destroy 6 years after cutoff.
b.
If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.
F.
TECHNICAL ACCESS AND SECURITY 1.
Describe the security controls used to limit access to the system (e.g., passwords).
Users must apply for access to the system. To apply for WBL a potential user must use the ISMP Portfolio Enrollment Module (PEM) to enter their name, business and basic license information then PEM passes that information over to the Identity, Credential, and Access Management system (ICAM) owned by OCIO. The PEM Privacy Impact Assessment (ML20065L347) review determined that PEM is covered by the Privacy Act, does not contain any Personally Identifiable Information (PII) and is covered under the OCIO NRC-45 Digital Certificates for Personal Identify Verification. The NRC or Agreement State agency program sponsor must then approve the user for access and assign the appropriate role. The user then goes through an identity verification process that is performed via NRCs ICAM. Once approved, the user accesses WBL via a One-Time-Password device or X.509 digital certificate.
PIA Template (03-2021) 2.
What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?
All user access to WBL is controlled via Role Based Access Controls.
3.
Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?
Yes.
(1)
If yes, where?
WBL System Requirements Specification (SRS) document, version 2.1, dated March 10, 2011 (ML16007A741) and the most recent ISMP System Security Plan (SSP), version 5.2, dated December 10, 2020 (ML20349A333).
4.
Will the system be accessed or operated at more than one location (site)?
Yes.
a.
If yes, how will consistent use be maintained at all sites?
As a component resident application of the ISMP, WBL operates in the Microsoft Azure Commercial Cloud Virginia Region. WBL is supported at the Leidos Rockville, Maryland location via VPN connection to Microsoft Azure. WBL is supported at the Leidos Richland, Washington location via an IPSEC tunnel to ISMP.
5.
Which user groups (e.g., system administrators, project managers, etc.)
have access to the system?
Authorized NRC and Agreement State Agency users and credentialed Licensees.
6.
Will a record of their access to the system be captured?
Yes.
a.
If yes, what will be collected?
The WBL application audit mechanism captures end user and application administrator access to the application. The following information is captured in the audit records: date and time of the event; the component of the information system (Internet Protocol (IP) address) where the event occurred; type of event; user/subject identity; and the outcome (success or failure) of the event.
PIA Template (03-2021) 7.
Will contractors be involved with the design, development, or maintenance of the system?
Yes.
If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.
Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.
8.
What auditing measures and technical safeguards are in place to prevent misuse of data?
The WBL application audit mechanism captures end user and application administrator access to the application.
The WBL application implements role-based authorization, granting access to users based on their assigned role. The role assignment function is restricted to the application administrator. With regard to system administrator access, assigned authorizations to access the WBL servers are enforced using the Windows operating system role-based access control mechanism.
All WBL servers have anti-virus software, host-based intrusion prevention software, and host-based firewalls installed. Anti-virus software is configured for at least daily virus-definition updates. Network protections include layered firewall design that implements rule sets to deny all and permit by exception.
Network security groups provide the ability to filter traffic by source and destination IP address, port, and protocol and User Defined Routes control the flow between each subnet. Additional technical safeguards and monitoring is provided using SecureVue SIEM, Tripwire (file integrity monitoring), ePO, Nessus (vulnerability scanner), Intrusion Prevention Systems, and F5s ASM (Application Security Manager).
9.
Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?
Yes.
PIA Template (03-2021) a.
If yes, when was Certification and Accreditation last completed?
And what FISMA system is this part of?
The ISMP Authority to Operate (ATO) was last renewed on July 16, 2018 (ML18197A165) and ISMP has since maintained its ATO via continuous monitoring. WBLs ATO was approved on September 20, 2012 (ML12254B071) and was incorporated into ISMP via the Security Impact Assessment process.
b.
If no, is the Certification and Accreditation in progress and what is the expected completion date? And what FISMA system is this planned to be a part of?
N/A.
c.
If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Offices (CSOs) Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.
N/A.
PIA Template (03-2021) PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)
System Name: Web-Based Licensing (WBL) Integrated Source Management Portfolio (ISMP)
Submitting Office: NMSS A.
PRIVACY ACT APPLICABILITY REVIEW X
Privacy Act is not applicable.
Privacy Act is applicable.
Comments:
WBL does not maintain any personally identifiable information, only business-related information.
Reviewers Name Title Privacy Officer B.
INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.
OMB clearance is needed.
X Currently has OMB Clearance. Clearance No.
3150-0120 Comments:
Reviewers Name Title Agency Clearance Officer Signed by Hardy, Sally on 06/16/21 Signed by Cullison, David on 06/04/21
PIA Template (03-2021) 18 C.
RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.
X Additional information is needed to complete assessment.
Needs to be scheduled.
X Existing records retention and disposition schedule covers the system - no modifications needed.
Comments:
Reviewers Name Title Sr. Program Analyst, Electronic Records Manager D.
BRANCH CHIEF REVIEW AND CONCURRENCE X
This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.
This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.
I concur in the Privacy Act, Information Collections, and Records Management reviews:
Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signed by Dove, Marna on 06/16/21 Signed by Nalabandian, Garo on 06/17/21
PIA Template (03-2021) 19 TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/
PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: John W. Lubinski, NMSS Name of System: Web-Based Licensing (WBL) Integrated Source Management Portfolio (ISMP)
Date CSB received PIA for review:
May 21, 2021 Date CSB completed PIA review:
June 16, 2021 Noted Issues:
Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signature/Date:
Copies of this PIA will be provided to:
Thomas G. Ashley, Jr.
Director IT Services Development and Operations Division Office of the Chief Information Officer Jonathan R. Feibus Chief Information Security Officer (CISO)
Office of the Chief Information Officer Signed by Nalabandian, Garo on 06/17/21