Radiation Protection Computer Code Analysis & Maintenance Program (Ramp) Website Privacy Impact Assessment

ML23090A178
Person / Time
Issue date:	05/04/2023
From:	Office of Nuclear Regulatory Research
To:
Bobryakova N
References
Download: ML23090A178 (16)
v • d • e

Text

U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Radiation Protection Computer Code Analysis & Maintenance Program (RAMP) Website Date: March 14, 2023 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system: (Use plain language, no technical terms.)

Radiation Protection Computer Code Analysis and Maintenance Program (RAMP) is a U.S. Nuclear Regulatory Commission (NRC) program with the purpose of developing, distributing, maintaining, and providing training for NRC-sponsored radiation protection computer codes. The RAMP website is the online repository for the Office of Nuclear Regulatory Research (RES) RAMP computer codes and related documents. Only registered members have access to the RAMP computer codes, online training, and meeting materials. Users access the website via https://ramp.nrc-gateway.gov.

The RAMP website is hosted on a Federal Risk and Authorization Management Program (FedRAMP) authorized cloud platform provided by Acquia Inc. The Acquia Drupal platform relies on the physical infrastructure provided by the Amazon Web Services East/West U.S. Public Cloud.

RAMP is a subsystem of the Office of the Chief Information Officer (OCIO) Third Party System (TPS). TPS provides a framework for managing cybersecurity compliance for various external information technology services used by NRC.

TPS and its subsystems have no technical components on the NRC infrastructure.

2. What agency function does it support? (How will this support the U.S. Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))

RAMP supports the agency licensing, inspection, and emergency response functions through development, maintenance, and distribution of the radiation protection computer codes. It also fosters information exchange and assists in the regulatory mission of international regulatory partners.

PIA Template (09-2022)

3. Describe any modules or subsystems, where relevant, and their functions.

The RAMP website utilizes a Platform as a Service (PaaS) cloud environment provided by Acquia. The website configurations are implemented through Drupal 9, which provides management modules to properly structure and place content.

a. Provide Agencywide Documents Access and Management System (ADAMS) ML numbers for all Privacy Impact Assessments or Privacy Threshold Analysis for each subsystem.

N/A.

4. What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)

The regulations in Title 10 of the Code of Federation Regulations (10 CFR) Part 20, Standards for Protection Against Radiation, require all licensees to meet dose limits. The computer codes in RAMP calculate different scenarios for dose limits. If the computer code printout determines the dose is below the limits in 10 CFR Part 20, the licensee meets the requirement. If the doses are above the limit, the licensee is required to implement processes to bring the doses below the limit.

5. What is the purpose of the system and the data to be collected?

The purpose of RAMP is to support the development, maintenance, and distribution of the NRC's vast array of radiation protection, dose assessment, and emergency response computer codes, as well as periodic training on the codes.

PIA Template (09-2022)

6. Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

Project Manager Office/Division/Branch Telephone Rigel Flora RES/DSA/RPB 301-415-3890 Business Project Manager Office/Division/Branch Telephone Rigel Flora RES/DSA/RPB 301-415-3890 Technical Project Manager Office/Division/Branch Telephone Wendy Chinchilla Leidos 240-753-0185 Executive Sponsor Office/Division/Branch Telephone Raymond Furstenau RES 301-415-1902 ISSO Office/Division/Branch Telephone Natalya Bobryakova OCIO/GEMSD/CSB/IAT 301-287-0671 System Owner/User Office/Division/Branch Telephone Raymond Furstenau RES 301-415-1902

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?

a. New System Modify Existing System X Other

b. If modifying or making other updates to an existing system, has a PIA been prepared before?

Yes.

(1) If yes, provide the date approved and the ADAMS accession number.

The accession number is ML22046A317, and PIA was approved on March 7, 2022.

PIA Template (09-2022)

(2) If yes, provide a summary of modifications or other changes to the existing system.

The PIA was transferred into the new template and updates were made to the points of contact information.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

Yes.

a. If yes, please provide the EA/Inventory number.

The RAMP website is a subsystem of the NRCs TPS. The TPS EA number is 20180002.

b. If, no, please contact EA Service Desk to get the EA/Inventory number.

B. INFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS

a. Does this system maintain information about individuals?

Yes.

(1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public

[provide description for general public, non-licensee workers, applicants before they are licenses etc.]).

Federal employees, Federal contractors, licensees, and individuals from the general public, such as non-licensee workers and applicants.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific - e.g. Social Security Number (SSN), Place of Birth, Name, Address)?

The RAMP website stores the following information for the registered users: first and last names, the organization that the user belongs to, codes requested, and membership type (foreign or domestic).

PIA Template (09-2022)

Also, Country of citizenship, business email address, and business telephone number are collected in a non-disclosure agreement form, but this information is not maintained in the RAMP system. The non-disclosure agreement forms are stored in ADAMS and protected as personally identifiable information (PII).

c. Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)

Yes, the information in a non-disclosure agreement form is collected from an individual.

(1) If yes, what information is being collected?

First and last names, the organization that the user belongs to, business email address, business mailing address, and country of citizenship.

d. Will the information be collected from individuals who are not Federal employees?

Yes.

(1) If yes, does the information collection have the Office of Management and Budgets (OMB) approval?

Yes.

(a) If yes, indicate the OMB approval number:

The approval number is 3150-0240.

e. Is the information being collected from existing NRC files, databases, or systems?

No.

(1) If yes, identify the files/databases/systems and the information being collected.

N/A.

f. Is the information being collected from external sources (any source outside of the NRC)?

No, only from the individual.

PIA Template (09-2022)

(1) If yes, identify the source and what type of information is being collected?

N/A.

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

All information will be collected from the subject individual.

h. How will the information be collected (e.g. form, data transfer)?

A user will download a non-disclosure agreement form from the website and fill out the form, and then eFax or email the form to RAMP@nrc.gov.

2. INFORMATION NOT ABOUT INDIVIDUALS

a. Will information not about individuals be maintained in this system?

Yes.

(1) If yes, identify the type of information (be specific).

NRC-sponsored radiation protection computer codes (RASCAL, GENII, MiLDOS, DandD, SNAP/RADTRAD, HABIT, GALE, RADTRAN, NRCDose, VARKSIN, Radiological Toolbox, PiMAL, PAVAN, and ARCON96) and related documents. The related documents contain information on how to run the computer codes and training materials.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

RES maintains and develops the RAMP suite of codes. The codes are housed on the RAMP website for download.

C. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

The codes are run by the users for emergency response for radiation dosage, consequence analysis, decontamination, and other functions.

PIA Template (09-2022)

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes.

3. Who will ensure the proper use of the data in this system?

The RES RAMP Program Manager approves RAMP users who have submitted a non-disclosure agreement to RAMP@nrc.gov.

4. Are the data elements described in detail and documented?

No.

a. If yes, what is the name of the document that contains this information and where is it located?

N/A.

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?

N/A.

b. How will aggregated data be validated for relevance and accuracy?

N/A.

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

See the RAMP System Security Plan (SSP), ML18338A473, for all security controls.

PIA Template (09-2022)

6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

Users must login to the RAMP website with a user ID and password in order to download codes. No information about individuals is retrieved from the system.

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

N/A.

7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

No.

a. If Yes, provide name of SORN and location in the Federal Register.

N/A.

8. If the information system is being modified, will the SORN(s) require amendment or revision?

No.

9. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

No.

a. If yes, explain.

N/A.

(1) What controls will be used to prevent unauthorized monitoring?

N/A.

10. List the report(s) that will be produced from this system.

None.

a. What are the reports used for?

N/A.

b. Who has access to these reports?

N/A.

PIA Template (09-2022)

D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

Only RES RAMP program managers, RES management, and Leidos RAMP contractors will have access to the data in the system.

(1) For what purpose?

For input and maintenance of the system.

(2) Will access be limited?

Access will be limited to only those whose job it is to maintain the system.

2. Will other NRC systems share data with or have access to the data in the system?

No.

(1) If yes, identify the system(s).

N/A.

(2) How will the data be transmitted or disclosed?

N/A.

3. Will external agencies/organizations/public have access to the data in the system?

Yes.

(1) If yes, who?

Members of the public who have signed a non-disclosure agreement, been vetted by the NRC RAMP Program Manager, and assigned a user identifier (ID).

(2) Will access be limited?

Yes. They will only have access to the codes and related documents they are approved for, based on the approved non-disclosure agreement.

(3) What data will be accessible and for what purpose/use?

Only the codes and related documents that the user has been approved for will be accessible to the user.

PIA Template (09-2022)

(4) How will the data be transmitted or disclosed?

The data will be downloaded from the website by the user.

4. Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA))

RAMP is FedRAMP authorized. Acquia documents information on the functional properties of security controls within their FedRAMP documentation. The Acquia NRC ATO letter was approved on July 15, 2019 and is available in the OCIO CSO FISMA Repository.

E. RECORDS AND INFORMATION MANAGEMENT (RIM)-RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with Federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

No.

This system will need to be scheduled; therefore, NRC records personnel will need to work with staff to develop a records retention and disposition schedule for records created or maintained. Until the approval of such schedule, these records and information are permanent. Their willful disposal or concealment (and related offenses) is punishable by fine or imprisonment, according to 18 U.S.C., Chapter 101, and Section 2071. Implementation of retention schedules is mandatory under 44 U.S. 3303a (d), and although this does not prevent further development of the project, retention functionality or a manual process must be incorporated to meet this requirement.

PIA Template (09-2022)

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

N/A.

b. If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

RES should coordinate with the records retention group to identify which retention schedules are applicable to RAMP. The retention schedule should support the RAMP website redesign in terms of how the content/data is managed.

Retention schedules to be considered for RAMP may include:

According to NRC Management Directive 10.131 - Protection of NRC Employees Against Ionizing Radiation, records shall be maintained according to NUREG 0910, 2.17 item 19 (NMSS) and 2.25 item 19 (REGIONS) . These schedules refer to: Radiation Protection Program Records. Part of the description for these records state, records documenting equipment calibrations, and computations determining exposure hazard or compliance with the requirements of Management Directive 10.131 Temporary. Cut off electronic files at close of fiscal year. Destroy 75 years after cutoff.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g., passwords).

See the RAMP SSP (ML18338A473) for all security controls.

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

RAMP utilizes password-based authentication and role-based access controls.

The RAMP SSP details the current system security controls used to prevent the misuse of data.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes.

PIA Template (09-2022)

(1) If yes, where?

See the RAMP SSP (ML18338A473) for all security controls as well as the Acquia Cloud Fed RAMP documentation.

4. Will the system be accessed or operated at more than one location (site)?

No.

a. If yes, how will consistent use be maintained at all sites?

N/A.

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

System administrators and users (registered members).

6. Will a record of their access to the system be captured?

Yes.

a. If yes, what will be collected?

A log contains the user ID, allowed codes for access, start date of membership, and last login date and time.

7. Will contractors be involved with the design, development, or maintenance of the system?

Yes.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or Personally Identifiable Information (PII) contract clauses are inserted in their contracts.

Federal Acquisition Regulation (FAR) clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

8. What auditing measures and technical safeguards are in place to prevent misuse of data?

See the RAMP SSP (ML18338A473) for all security controls.

PIA Template (09-2022)

9. Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?

Yes, data is secured in accordance with FISMA requirements. RAMP relies on the Acquia Cloud security controls to secure system data.

a. If yes, when was Assessment and Authorization last completed?

And what FISMA system is this part of?

Acquia Cloud was authorized by FedRAMP on April 13, 2016. The RAMP website was authorized by the NRC Authorizing Official on January 30, 2018 (ML20092F911). The RAMP website is now a subsystem of NRCs TPS.

b. If no, is the Assessment and Authorization in progress and what is the expected completion date? And what FISMA system is this planned to be a part of?

N/A.

c. If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Offices (CSOs) Point of Contact (POC) via email quarterly to ensure the authorization remains on track.

N/A.

PIA Template (09-2022)

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: Radiation Protection Computer Code Analysis & Maintenance Program (RAMP)

Website Submitting Office: Office of Nuclear Regulatory Research A. PRIVACY ACT APPLICABILITY REVIEW X Privacy Act is not applicable.

Privacy Act is applicable.

Comments:

RAMP system does not contain PII information. The RAMP website stores first and last names, business information only to include the organization that the user belongs to, and membership type (foreign or domestic) and user id. The NDAs do contain PII information, they are stored in ADAMS, the NDAs need to be restricted access in ADAMS for only those that have a need to know.

Reviewers Name Title Signed by Hardy, Sally on 04/12/23 Privacy Officer B. INFORMATION COLLECTION APPLICABILITY DETERMINATION No OMB clearance is needed.

OMB clearance is needed.

X Currently has OMB Clearance. Clearance No. 3150-0240 Comments:

The OMB information collections clearance is for the NDA.

Reviewers Name Title Signed by Cullison, David on 04/10/23 Agency Clearance Officer PIA Template (09-2022)

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

X Needs to be scheduled.

Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Additional information/data/records kept in this system may need to be scheduled; therefore, NRC records personnel will need to work with staff to develop a records retention and disposition schedule for records created or maintained. Until the approval of such schedule, these records and information are Permanent. Their willful disposal or concealment (and related offenses) is punishable by fine or imprisonment, according to 18 U.S.C., Chapter 101, and Section 2071. Implementation of retention schedules is mandatory under 44 U.S.

3303a (d), and although this does not prevent further development of the project, retention functionality or a manual process must be incorporated to meet this requirement.

Reviewers Name Title Signed by Dove, Marna Sr. Program Analyst, Electronic Records on 04/11/23 Manager D. BRANCH CHIEF REVIEW AND CONCURRENCE This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

X This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Signed by Harris, Kathryn on 04/25/23 Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer PIA Template (09-2022)

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Rigel Flora - RES/DSA/RPB Name of System: Radiation Protection Computer Code Analysis & Maintenance Program (RAMP) Website Date CSB received PIA for review: Date CSB completed PIA review:

March 30, 2023 April 12, 2023 Noted Issues:

RAMP system does not contain PII information. The RAMP website stores first and last names, the organization that the user belongs to, and membership type (foreign or domestic) and user id.

The Non-Disclosure Agreement (NDA) is used for granting/vetting access to the RAMP system. Country of citizenship, business email address, and business telephone number are collected in the NDA form. The non-disclosure agreement form is stored in ADAMS and is not maintained in the RAMP system.

The NDAs contains PII information and needs to be restricted access in ADAMS to only those that have a need to know.

Chief Signature/Date:

Cyber Security Branch Governance and Enterprise Management Signed by Harris, Kathryn Services Division on 04/25/23 Office of the Chief Information Officer Copies of this PIA will be provided to:

Gwendolyn Hayden Acting Director IT Services Development and Operations Division Office of the Chief Information Officer Garo Nalabandian Chief Information Security Officer (CISO)

Office of the Chief Information Officer PIA Template (09-2022)