ML23348A317
| ML23348A317 | |
| Person / Time | |
|---|---|
| Issue date: | 12/08/2023 |
| From: | NRC/OCIO/CISD, Oasis Systems |
| To: | |
| Bobryakova N | |
| References | |
| Download: ML23348A317 (21) | |
Text
U.S. Nuclear Regulatory Commission Privacy Impact Assessment Enterprise File Synchronization and Sharing (EFSS)
Office of the Chief Information Officer (OCIO)
Version 1.0 12/08/2023 Template Version 2.0 (08/2023)
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 Document Revision History Date Version PIA Name/Description Author 12/08/2023 1.0 Enterprise File Synchronization and Sharing (EFSS)
- Final Release OCIO Oasis Systems, LLC 11/15/2023 DRAFT Enterprise File Synchronization and Sharing (EFSS)
- Draft Release OCIO Oasis Systems, LLC
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 Table of Contents 1
Description 1
2 Authorities and Other Requirements 3
3 Characterization of the Information 4
4 Data Security 6
5 Privacy Act Determination 9
6 Records and Information Management-Retention and Disposal 10 7
Paperwork Reduction Act 13 8
Privacy Act Determination 14 9
OMB Clearance Determination 15 10 Records Retention and Disposal Schedule Determination 16 11 Branch Chief Review and Concurrence 17
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 1 The agency is subject to the requirements of the E-Government Act and is committed to identifying and addressing privacy risks whenever it develops or makes changes to its information systems. The questions below help determine any privacy risks related to the E-Government Act or later guidance by the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST).
Name/System/Subsystem/Service Name: Enterprise File Synchronization and Sharing (EFSS).
Data Storage Location (i.e., Database Server, SharePoint, Cloud, Other Government Agency, Power Platform): The EFSS system is hosted by Box, Inc. in a secure cloud environment.
Date Submitted for review/approval: December 13, 2023.
1 Description 1.1 Provide the description of the system/subsystem, technology (i.e., Microsoft Products), program, or other data collections (hereinafter referred to as project).
Explain the reason the project is being created.
The Enterprise File Synchronization and Sharing (EFSS) system is a cloud-based system that enables collaborative authoring and sharing of documents on a secure collaboration platform (Box) hosted by Box, Inc. EFSS is the U.S. Nuclear Regulatory Commissions (NRC)s implementation of the Box Software as a Service (SaaS) solution.
EFSS provides a secure method for collaboration and sharing of documents between the NRC internal users (NRC staff and contractors) and authorized external parties, including but not limited to: NRC licensees, other Federal agencies, and NRC job applicants. EFSS allows collaboration in an online folder system and makes it effective across devices, teams, and organizations. The system is not permitted to be used for long-term storage of agency documents and is set to retain documents for 120 days by default. An extended retention period can be approved for specific projects based on the business justification.
EFSS is accessible through a web browser; it does not require any additional software or hardware to be installed by the user. In addition, EFSS users have the option to use Box Edit, an add-on feature that allows users to open and edit files stored in EFSS using the default applications (desktop Microsoft Office applications) installed on their computers.
The NRC internal users are authenticated to the Box Platform through the NRC Identity, Credential, and Access Management (ICAM) Authentication Gateways Single Sign-on (SSO).
Once authenticated, users with elevated privileges can create folders in EFSS, upload files, and invite external partners to view/edit files to facilitate collaboration. External recipients must accept the invitation sent via email by the system and create an account in the Box Platform within 90 days in order to access EFSS content. The Office of the Chief Information Officer (OCIO) EFSS system administrator (SYS ADMIN), NRC Program Office (Office) EFSS administrators (Office ADMINs), and internal collaborators have the ability to establish file and folder permissions such as read-only, no print, write, and access expiration based on their account privileges.
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 2 The OCIO System Administrator will create a root folder for each Office upon request from that Office. Each Office will have the ability to manage the file and folder permissions within their root folder. The Office ADMINs can give users co-owner rights for sub-folders under the root folder within EFSS that allow the user to establish external collaboration projects and upload documents to the subfolder(s) for access by external parties.
EFSS is a subsystem of the OCIO Third Party System (TPS). TPS provides a framework for managing cybersecurity compliance for the external IT services used by NRC. TPS and its subsystems have no technical components on the NRC infrastructure.
Please mark appropriate response below if your project/system will involve the following:
PowerApps Public Website Dashboard Internal Website SharePoint None Other: Cloud-based system 1.2 Does this privacy impact assessment (PIA) support a proposed new project, proposed modification to an existing project, or other situation? Select options that best apply in table below.
Mark appropriate response.
Status Options
New system/project
Modification to an existing system/project.
If modifying or making other updates to an existing system/project, provide the ADAMS ML of the existing PIA and describe the modification.
Annual Review If making minor edits to an existing system/project, briefly describe the changes below.
The PIA has been transferred into the latest template.
Other (explain)
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 3 1.3 Points of
Contact:
Project Manager System Owner/Data Owner/Stewar d
ISSO Busines s Project Manager Technical Project Manager Executive Sponsor Name Roy Choudhury Caroline Carusone Natalya Bobryakova N/A Roy Choudhury Caroline Carusone Office
/Division
/Branch Office of the Chief Information Officer (OCIO) / IT Services Development
& Operations Division (ITSDOD) /
Application Development Services Branch (ADSB) /
Cross-Cutting Applications Team (CCAT)
Office of the Chief Information Officer (OCIO) /
IT Services Development &
Operations Division (ITSDOD)
Office of the Chief Information Officer (OCIO) /
Cyber and Infrastructure Security Division (CISD)
N/A Office of the Chief Information Officer (OCIO) /
IT Services Development
& Operations Division (ITSDOD) /
Application Development Services Branch (ADSB) /
Cross-Cutting Applications Team (CCAT)
Office of the Chief Information Officer (OCIO) / IT Services Development
& Operations Division (ITSDOD)
Telephone 301-415-7226 301-415-1085 301-287-0671 N/A 301-415-7226 301-415-1085 2 Authorities and Other Requirements 2.1 What specific legal authorities and/or agreements permit the collection of information for the project?
Provide all statutory and regulatory authorities for operating the project, including the authority to collect the information; NRC internal policy is not a legal authority. Please mark appropriate response in table below.
Mark with an X on all that apply.
Authority Citation/Reference
Statute
Executive Order
Federal Regulation
Memorandum of Understanding/Agreement
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 4 Mark with an X on all that apply.
Authority Citation/Reference
Other (summarize and provide a copy of relevant portion)
Part of the NRCs mission is official information dissemination, i.e., to share information from NRC staff members to authorized external users that rely on NRC-provided information. EFSS supports secure file sharing and collaboration for NRC users that need to collaborate with parties and organizations outside the NRC. Box provides a cloud platform that ensures the secure transmission of information shared with external parties.
2.2 Explain how the information will be used under the authority listed above (i.e., enroll employees in a subsidies program to provide subsidy payment).
All data stored in EFSS is used solely for the purpose of sharing and collaborating with authorized external parties in support of the NRC mission.
If the project collects Social Security numbers, state why this is necessary and how it will be used.
The files placed in EFSS may contain Social Security numbers if this is necessary for information sharing with authorized users in support of business functions. This information can be retained in the system for no longer than 120 days, unless a business justified exception for longer retention is approved by the NRC.
3 Characterization of the Information In the table below, mark the categories of individuals for whom information is collected.
Category of individual
Federal employees
Contractors
Members of the Public (any individual other than a federal employee, consultant, or contractor)
Licensees
Other In the table below, is a list of the most common types of PII collected. Mark all PII that is collected and stored by the project/system. If there is additional PII not defined in the table below, a comprehensive listing of PII is provided for further reference in ADAMS at the following link: PII Reference Table 2023.
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 5 Categories of Information
Name
Resume or curriculum vitae
Date of Birth
Driver's License Number
Country of Birth
License Plate Number
Citizenship
Passport number
Nationality
Relatives Information
Race
Taxpayer Identification Number
Home Address
Credit/Debit Card Number
Social Security number (Truncated or Partial)
Medical/health information
Gender
Alien Registration Number
Ethnicity
Professional/personal references
Spouse Information
Criminal History
Personal email address
Biometric identifiers (facial images, fingerprints, iris scans)
Personal Bank Account Number
Emergency contact e.g., a third party to contact in case of an emergency
Personal Mobile Number
Accommodation/disabilities information
Marital Status
Children Information
Mother's Maiden Name
Other: The files placed in EFSS may contain any identifiable information about an individual if it is needed for business functions. This information may include an individuals name, address, phone number, date of birth, place of birth, social security number, or driver's license number; and any other information that is linkable to an individual, such as employment information.
3.1 Describe how the data is collected for the project. (i.e., NRC Form, survey, questionnaire, existing NRC files/ databases, response to a background check).
The information shared in EFSS may originate from other NRC systems or databases.
However, EFSS is not directly interconnected with any other systems. The information shared in EFSS can originate from any existing NRC file, database, or information system.
3.2 If using a form to collect the information, provide the form number, title and/or a link.
N/A.
3.3 Who provides the information? Is it provided directly from the individual or a third party.
The files placed in EFSS may contain information collected from the subject individual or from
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 6 other parties on behalf of an individual. However, in most cases, this information is collected outside of EFSS.
3.4 Explain how the accuracy of the data collection is validated. If the project does not check for accuracy, please explain why.
Each Office / NRC Region is responsible for verifying the information they upload to/download from EFSS.
3.5 Will PII data be used in a test environment? If so, explain the rationale.
N/A.
3.6 What procedures are in place to allow the subject individual to correct inaccurate or erroneous information?
N/A.
4 Data Security 4.1 Describe who has access to the data in the project (i.e., internal NRC, system administrators, external agencies, contractors, public).
NRC staff and contractors including system administrators and authorized external parties (NRC licensees, other Federal agencies, and NRC job applicants) have access to the data in EFSS.
The EFSS SYS ADMIN creates the root folders for all NRC Offices and will have access to view files and folders from all Office folders. Each Office ADMIN will have access to all data within their Office root folder and will have the ability to set access permissions for sub-folders within each Office.
4.2 If the project/system shares information with any other NRC systems, identify the system, what information is being shared and the method of sharing.
EFSS does not directly interconnect with other NRC systems. However, the information downloaded from EFSS by NRC users may be uploaded to other NRC systems if this is needed for business functions.
4.3 If the project/system connects, receives, or shares information with any external non-NRC partners or systems, identify what is being shared.
EFSS is a file sharing and collaboration tool used to share data with authorized parties outside of the agency which can include other agencies, organizations, and licensees.
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 7 Identify what agreements are in place with the external non-NRC partner or system in the table below.
Agreement Type
Contract Provide Contract Number:
License Provide License Information:
Memorandum of Understanding Provide ADAMS ML number for MOU:
Other
None 4.4 Describe how the data is accessed and describe the access control mechanisms that prevent misuse.
All internal users sign in through the agencys ICAM Authentication Gateway SSO solution. The external users sign in through a Multi-factor Authentication (MFA) enforced by Box. Users can only access data that they have been given permission to access by a user with co-owner rights to a file or folder. Access to any data in the system will be based on the individual users permissions for collaboration projects.
4.5 Explain how the data is transmitted and how confidentiality is protected (i.e.,
encrypting the communication or by encrypting the information before it is transmitted).
The EFSS internal and external users upload/download the files to/from EFSS using secure file transfer over a HyperText Transfer Protocol Secure (HTTPS) connection which encrypts data during transmission.
4.6 Describe where the data is being stored (i.e., NRC, Cloud, Contractor Site).
The data is stored in the Box cloud platform that is authorized by the Federal Risk and Authorization Management Program (FedRAMP).
4.7 Explain if the project can be accessed or operated at more than one location.
N/A.
4.8 Can the project be accessed by a contractor? If so, do they possess an NRC badge?
Box, Inc., the Cloud Service Provider (CSP), employs contractors in the design, development, and maintenance of their cloud platform. NRC internal contractors support the implementation and maintenance of EFSS on the Box cloud platform. The NRC contractors possess an NRC badge. The CSPs personnel do not possess an NRC badge.
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 8 4.9 Explain the auditing measures and technical safeguards in place to prevent misuse of data.
The NRC Security Operations Center (SOC) monitor the EFSS audit logs and alerts to prevent misuse of data. Audit logs capture user and administrator activities within EFSS as well as the date and time of the events. T h e N R C users must comply with the EFSS Rules of Behavior and any applicable NRC policies, procedures, and rules governing the use of the NRC information technology resources. The external users have only the minimum level of access granted by the NRC system administrators.
4.10 Describe if the project has the capability to identify, locate, and monitor (i.e.,
trace/track/observe) individuals.
N/A.
4.11 Define which FISMA boundary this project is part of.
EFSS is a subsystem of the NRCs Third-Party System (TPS).
4.12 Is there an Authority to Operate (ATO) associated with this project/system?
Authorization Status
Unknown
No If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Organization (CSOs)
Point of Contact (POC) via email quarterly to ensure the authorization remains on track.
In Progress provide the estimated date to receive an ATO.
Estimated date:
Yes Indicate the data impact levels (Low, Moderate, High, Undefined) approved by the Chief Information Security Officer (CISO)
Confidentiality-Moderate Integrity-Moderate Availability-Moderate 4.13 Provide the NRC system Enterprise Architecture (EA)/Inventory number. If unknown, contact EA Service Desk to get the EA/Inventory number.
EFSS is a subsystem of TPS. The TPS EA number is 20180002.
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 9 5 Privacy Act Determination 5.1 Is the data collected retrieved by a personal identifier?
Mark the appropriate response.
Response
Yes, the PII is retrieved by a personal identifier (i.e., individuals name, address, SSN, etc.)
List the identifiers that will be used to retrieve the information on the individual.
No, the PII is not retrieved by a personal identifier.
If no, explain how the data is retrieved from the project.
Data can be retrieved from EFSS by viewing or downloading shared files. Data cannot be retrieved from shared files by an individuals name or a personal identifier.
The EFSS system administrator can retrieve an event history of a user account by a username.
5.2 For all collections where the information is retrieved by a personal identifier, the Privacy Act requires that the agency publish a System of Record Notice (SORN) in the Federal Register. As per the Privacy Act of 1974, "the term 'system of records' means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some other personal identifier assigned to the individual.
Mark the appropriate response in the table below.
Response
Yes, this system is covered by an existing SORN. (See existing SORNs:
https://www.nrc.gov/reading-rm/foia/privacy-systems.html )
Provide the SORN name, number, (List all SORNs that apply):
SORN is in progress
SORN needs to be created
Unaware of an existing SORN
No, this system is not a system of records and a SORN is not applicable.
5.3 When an individual is asked to provide personal data (i.e., form, webpage, survey), is a Privacy Act Statement (PAS) provided?
A Privacy Act Statement is a disclosure statement required to appear on documents used by agencies when an individual is asked to provide personal data. It is required for
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 10 any forms, surveys, or other documents, including electronic forms, used to solicit personal information from individuals that will be maintained in a system of records.
Mark the appropriate response.
Options
Privacy Act Statement The files that are uploaded to EFSS for sharing may include electronic documents that provide a Privacy Act Statement. A Privacy Act Statement is provided on individual electronic documents (e.g., forms) if necessary.
Not Applicable
Unknown 5.4 Is providing the PII mandatory or voluntary? What is the effect on the individual by not providing the information?
N/A. All information that is temporarily stored in EFSS is collected outside of EFSS.
6 Records and Information Management-Retention and Disposal The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are Temporary (eligible at some point for destruction/deletion because they no longer have business value) or Permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). Records/data and information with historical value, identified as having a permanent disposition, are transferred to the National Archives of the United States at the end of their retention period. All other records identified as having a temporary disposition are destroyed at the end of their retention period in accordance with the NARA Records Schedule or the General Records Schedule.
These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR, agencies are required to establish procedures for addressing Records and Information Management (RIM) requirements. This includes strategies for establishing and managing recordkeeping requirements and disposition instructions before approving new electronic information systems or enhancements to existing systems.
The following questions are intended to determine whether the records/data and information in the system have approved records retention schedules and disposition instructions, whether the system incorporates RIM strategies including support for NARAs Universal Electronic Records Management (ERM) requirements, and if a mitigation strategy is needed to ensure compliance.
If the project/system:
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 11 Does not have an approved records retention schedule and/or Does not have an automated RIM functionality, Involves a cloud solution, And/or if there are additional questions regarding Records and Information Management
- Retention and Disposal, please contact the NRC Records staff at ITIMPolicy.Resource@nrc.gov for further guidance.
If the project/system has a record retention schedule or an automated RIM functionality, please complete the questions below.
6.1 Does this project map to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules?
NUREG-0910, NRC Comprehensive Records Disposition Schedule
NARAs General Records Schedules
Unscheduled 6.2 If so, cite the schedule number, approved disposition, and describe how this is accomplished.
System Name (include sub-systems, platforms, or other locations where the same data resides)
EFSS Records Retention Schedule Number(s)
GRS 5.2 item 010 - Transitory and Intermediary GRS 3.2 item 030 - System Access Records will cover Event Histories and Audit Reports.
Approved Disposition Instructions GRS 5.2 item 010 - Transitory and Intermediary Temporary. Destroy when no longer needed for business use, or according to agency predetermined time period or business rule.
GRS 3.2 item 030 Temporary. Destroy when business use ceases.
Collaboration Invitations can be covered by this GRS as well.
EFSS has a default retention of 120 days; all records are deleted from EFSS after that period.
The system is not permitted to be used for long-term storage of official agency records. EFSS is primarily intended for temporary file sharing and users are not permitted to use the system for long-term storage of agency documentary material.
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 12 All documents uploaded to EFSS by NRC staff must be retrieved from the Agencywide Document Access & Management System (ADAMS) or another NRC record repository system.
Users can request exceptions for the default retention; however, the official record must be maintained in a record retention system.
Any user with co-owner rights can delete a record stored in EFSS. Any files stored in EFSS are deleted after the default retention period, unless an approved exception is made by the ARO and executed by the EFSS SYS ADMIN.
If an exception for the default retention has been made, the file owner must delete the information upon completion of the collaboration project or once the document is no longer needed.
Records will only pertain to the NRC business mission.
All records are automatically deleted after the default retention period and any files uploaded with the same name will replace the existing files. Files and folders are only retained for the period of collaboration which can involve editing data on a daily, weekly, or monthly basis.
Is there a current automated functionality or a manual process to support RIM requirements? This includes the ability to apply records retention and disposition policies in the system(s) to support records accessibility, reliability, integrity, and disposition.
Automated function Disposition of Temporary Records Will the records/data or a composite be automatically or manually deleted once they reach their approved retention?
N/A Disposition of Permanent Records Will the records be exported to an approved format and transferred to the National Archives based on approved retention and disposition instructions?
If so, what formats will be used?
N/A
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 13 NRC Transfer Guidance (Information and Records Management Guideline - IRMG) 7 Paperwork Reduction Act The Paperwork Reduction Act (PRA) of 1995 requires that agencies obtain an Office of Management and Budget (OMB) approval in the form of a "control number"before promulgating a paper form, website, surveys, questionnaires, or electronic submission from 10 or more members of the public. If the data collection is from federal employees regarding work-related duties, then a PRA clearance is not necessary.
7.1 Will the project be collecting any information from 10 or more persons who are not Federal employees?
Yes, the project will be collecting information from 10 or more persons who are not Federal employees.
7.2 Is there any collection of information addressed to all or a substantial majority of an industry (i.e., Fuel Fabrication Facilities or Fuel Cycle Facilities)?
N/A.
7.3 Is the collection of information required by a rule of general applicability?
N/A.
Note: For information collection (OMB clearances) questions: contact the NRCs Clearance Officer. Additional guidance can be found on the NRCs internal Information Collections Web page at: https://intranet.nrc.gov/ocio/33456.
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 14 8 Privacy Act Determination Project/System Name: Enterprise File Synchronization and Sharing (EFSS)
Submitting Office: Office of the Chief Information Officer (OCIO)
Privacy Officer Review Review Results Action Items
This project/system does not contain PII.
No further action is necessary for Privacy.
This project/system does contain PII; the Privacy Act does NOT apply, since information is NOT retrieved by a personal identifier.
Must be protected with restricted access to those with a valid need-to-know.
This project/system does contain PII; the Privacy Act does apply.
SORN is required-Information is retrieved by a personal identifier.
Comments:
Reviewers Name Title Privacy Officer Signed by Hardy, Sally on 01/09/24
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 15 9 OMB Clearance Determination NRC Clearance Officer Review Review Results
No OMB clearance is needed.
OMB clearance is needed.
Currently has OMB Clearance. Clearance No.
Comments:
EFSS itself does not need an OMB clearance since it is only a vehicle that is used to distribute and collect files. The EFSS users and EFSS Office administrators are responsible for ensuring that any use of EFSS is compliant with the requirements of the Paperwork Reduction Act.
Reviewers Name Title Agency Clearance Officer Signed by Cullison, David on 01/04/24
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 16 10 Records Retention and Disposal Schedule Determination Records Information Management Review Review Results
No record schedule required.
Additional information is needed to complete assessment.
Needs to be scheduled.
Existing records retention and disposition schedule covers the system - no modifications needed.
Comments:
Reviewers Name Title Sr. Program Analyst, Electronic Records Manager Signed by Dove, Marna on 01/09/24
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 17 11 Branch Chief Review and Concurrence Review Results
This project/system does not collect, maintain, or disseminate information in identifiable form.
This project/system does collect, maintain, or disseminate information in identifiable form.
I concur with the Privacy Act, Information Collections, and Records Management reviews.
Chief Information Security Officer Chief Information Security Division Office of the Chief Information Officer Signed by Feibus, Jonathan on 01/09/24
Enterprise File Synchronization and Sharing (EFSS)
Version 1.0 Privacy Impact Assessment 12/08/2023 PIA Template (08-2023) 18 ADDITIONAL ACTION ITEMS/CONCERNS Name of Project/System: Enterprise File Synchronization and Sharing (EFSS)
Date CISD received PIA for review:
December 13, 2023 Date CISD completed PIA review:
January 9, 2024 Action Items/Concerns:
Copies of this PIA will be provided to:
Caroline Carusone Director IT Services Development and Operations Division Office of the Chief Information Officer Garo Nalabandian Deputy Chief Information Security Officer (CISO)
Office of the Chief Information Officer