ML20009C762

From kanterella
Revision as of 12:03, 15 March 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Enterprise Project Management System EPM
ML20009C762
Person / Time
Issue date: 02/04/2020
From: Anna Mcgowan
NRC/OCIO
To:
References
Download: ML20009C762 (18)


Text

ADAMS ML20009C762 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Enterprise Project Management System Date: 01/06/2020 A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system:

The Enterprise Project Management (EPM) system is a major application previously owned by the Office of New Reactors (NRO). EPM is recently consolidated into the Information Technology Infrastructure (ITI) FISMA boundary as a subsystem. EPM is an information technology system that integrates Microsoft Enterprise Project Management Solution into a seamless project management interface to assist NRO management in making informed scheduling and resource allocations. EPM does this through actively managing the planning and scheduling of all NRO licensing, oversight, advance reactor rulemaking, and regulatory infrastructure activities. EPM provides a standardized, automated approach to managing multiple projects across the agency by providing a common resource pool to be used by the entire agency. It supports a more effective allocation of critical staff and contractor resources, avoiding potential resource conflicts and resulting in improved project executions. It is comprised of the tools required to schedule NRO resources and actively manage the state and status of all licensing-related activities affecting design certification reviews, new reactor license applications and associated environmental reviews, and early site permit reviews. The tools are provided using primarily Microsoft enterprise project management products (which together, constitute a solution). The Microsoft products are integrated into the EPM project management interface. EPM facilitates scheduling and resource allocations. The system is used to actively manage the state and status of all licensing-related activities supporting:

  • complex, technical reviews of new reactor design certifications
  • license applications
  • environment reviews
  • early site permits PIA Template (04-2019) Page 1 of 18
  • limited work authorizations
  • plant construction inspections
  • rule management EPM enables NRO to manage related subject matter from a single point, using the standard features supplied by Microsoft Project, SQL Server, SharePoint, and Oracle Project Portfolio Management capabilities. Specifically, EPM provides the following capabilities:
  • schedule management and analysis
  • resource management
  • collaboration and workflows
  • views and reporting capabilities
  • role based access and permissions
2. What agency function does it support?
  • EPM provides a standardized, automated approach to manage multiple projects across the agency providing a common resource pool to be used by the entire agency.
  • EPM supports a more effective allocation of critical staff and contractor resources avoiding potential resource conflicts resulting in improved project executions.
3. Describe any modules or subsystems, where relevant, and their functions.

B. SharePoint Environment

  • SharePoint provides team services and websites for information sharing, workflows, and document collaboration. Several functions have been integrated into the SharePoint environment in EPM:
  • EPM Electronic Request for Additional Information (eRAI) uses SharePoint workflow to automate document and form processing and tracking associated with the New Reactor Licensing RAI processes.

License applicants are required to respond to gaps in address information with application submissions. eRAI allows the NRC to request additional information during the review and approval process.

If an applicant fails to respond to an RAI within a specified time frame, the NRC can deny the application.

  • The Construction Inspection Program Information Management System (CIPIMS) uses SharePoint workflows to provide a common tool to plan, schedule, manage, record, and report on inspections related to new reactor construction.
  • Verification of ITAAC (Inspections, Tests, Analysis, and Acceptance Criteria) Closure, Evaluation, and Status (VOICES) uses SharePoint PIA Template (04-2019) Page 2 of 18

workflows to facilitate verification, evaluation, and tracking of ITAAC closure request reviews. VOICES is intended to assist the agency in preserving all documents that support or oppose the closing of an ITAAC, and to organize and prioritize those stored documents for efficient access.

  • The Customer Response Center (CRC) uses SharePoint workflows to facilitate the processing of changes in project schedules and IT tickets.

It provides visibility of tracking any/all tickets at any time to the requester as well as the Project Manager.

  • International Travel (iTravel) uses SharePoint workflows to monitor and track international travel requests from the NRC staff. It allows the NRC offices to anticipate international travel budget needs and identify trip costs that are not commensurate to the office desired outcome.

C. SQL Server Platform Several EPM capabilities are provided using features provided by the SQL Server platform:

  • SQL Server Enterprise Business Intelligence provides data warehousing, data mining, data analysis, and querying services capabilities.

SQL Server Reporting Services (SSRS) is a commercial off-the-shelf (COTS) reporting tool used to design, manage, and deliver reports via the web and embedded enterprise applications. SSRS provides NRO and the New Reactor Program with seamless, on-demand reporting, key performance indicators, a digital dashboard, and What-If scenario analysis.

D. Microsoft Project Server Microsoft (MS) Project Server provides a centralized environment and repository for the project schedules, enterprise resources, and related data.

EPM uses Project Web Access (PWA), a web-based interface that provides access to schedules, project views, document libraries, and issues and risks. Additionally, PWA provides administrative interfaces for managing role-based security, configuring SharePoint Services integration, and PWA customization.

E. Microsoft Project Professional MS Project Professional allows project managers to set up projects quickly and efficiently, and to publish them in Project Server to be available to other users. Capabilities provided by this product support the EPM Enterprise Global Template (EGT), which is used to enforce standards for projects and resources within the organization. The EGT is used to set and modify settings, including:

  • filters, views, toolbars, tables, reports within MS Project Professional PIA Template (04-2019) Page 3 of 18
  • enterprise calendars
  • enterprise custom fields and outline codes
4. What legal authority authorizes the purchase or development of this system?

EPM Business Case has been approved by NRC Management - Please see ML070960268.

5. What is the purpose of the system and the data to be collected?

The Enterprise Project Management (EPM) supports new reactor licensing; inspections design review, licensing, and other offices product line activities.

6. Points of

Contact:

Project Manager Office/Division/Branch Telephone Lori Zimet OCIO/GEMS/COEAB 301-415-8444 Business Project Manager Office/Division/Branch Telephone Melissa Ash OCIO/GEMS/COEAB 301-415-7251 Technical Project Manager Office/Division/Branch Telephone Lori Zimet OCIO/GEMS/COEAB 301-415-8444 ISSO Office/Division/Branch Telephone Luc Phuong OCIO/INFOSEC 301-415-1103 System Owner/User Office/Division/Branch Telephone David Nelson Director, OCIO 301-415-8700

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. New System X Modify Existing System Other
b. If modifying or making other updates to an existing system, has a PIA been prepared before?

Yes (1) If yes, provide the date approved and ADAMS accession number.

DATE Accession No Change(s) 07/31/2014 ML14199A294 Updated systems points-of-contact PIA Template (04-2019) Page 4 of 18

09/20/2017 ML17264A877 Updated systems points-of-contact 10/09/2018 ML18275A325 Updated systems points-of-contact 06/19/2019 ML19183A125 Changed filing type to PTA 12/06/2019 Changed filing type to PIA Changed Security Boundary from EPM to ITI Changed system to include OUO data (2) If yes, provide a summary of modifications or other changes to the existing system.

Changed filing type to PIA Changed Security Boundary from EPM to ITI Changed system to include OUO data

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

YES

a. If yes, please provide Enterprise Architecture (EA)/Inventory number.

Enterprise Architecture number: EA #20090005

b. If, no, please contact EA Service Desk to get Enterprise Architecture (EA)/Inventory number.

B. NFORMATION COLLECTED AND MAINTAINED These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS
a. Does this system maintain information about individuals?

Yes (1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

NRC Employees (2) IF NO, SKIP TO QUESTION B.2.

PIA Template (04-2019) Page 5 of 18

b. What information is being maintained in the system about an individual (be specific - e.g. SSN, Place of Birth, Name, Address)?

Employee name, work e-mail address, work office, division, and branch information, employee ID, and regular and non-regular hours charged (including leave hours) are maintained within EPM, along with individual work assignments, schedules, and work products status and project completion data.

c. Is information being collected from the subject individual?

Yes (1) If yes, what information is being collected?

Percentage of task/work completed

d. Will the information be collected from individuals who are not Federal employees?

No (1) If yes, does the information collection have OMB approval?

Not Applicable (a) If yes, indicate the OMB approval number:

Not Applicable

e. Is the information being collected from existing NRC files, databases, or systems?

Yes (1) If yes, identify the files/databases/systems and the information being collected.

Yes, information is collected from RRPS (Operating Licensing Schedule and Information), HRMS (Staff Hours), CACs (Charge Codes, EPIDs),

EDMS (Dockets, Staff, Organization) and Primavera (RII Schedule and Information).

f. Is the information being collected from external sources (any source outside of the NRC)?

No (1) If yes, identify the source and what type of information is being collected?

PIA Template (04-2019) Page 6 of 18

Not Applicable

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

EPM relies on information that the RRPS system derives from the OCFO Human Resource Management System (HRMS) Time and Labor System.

The information includes Cost Accounting Codes (CAC) and hours charged to CAC.

h. How will the information be collected (e.g. form, data transfer)?

Data will be collected through data transfer between the EPM and all related systems. Scheduled jobs run daily to pull data into the NRC Data Warehouse from the related systems via SQL Server Integration Services (SSIS) scripts.

2. INFORMATION NOT ABOUT INDIVIDUALS
a. Will information not about individuals be maintained in this system?

Yes (1) If yes, identify the type of information (be specific).

The EPM system maintains staff technical review schedule information including specific review activities with estimated hours, skill sets, estimated start, estimated finish, estimated hours, actual start, actual finish and actual hours

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

Project schedules/activities will be loaded by NRR. Task assignments will be made by NRR Branch Chiefs. Task status/completion will be entered by staff. Hours charged to a CAC will come from RPS.

B. USES OF SYSTEM AND INFORMATION These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

Reactor Program task planning and scheduling and milestone and deliverable task level Reporting, data analysis, and case/report management.

PIA Template (04-2019) Page 7 of 18

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes

3. Who will ensure the proper use of the data in this system?

The Office of the Chief Information Officer (OCIO) will serve as information custodians ensuring the proper use of the information.

4. Are the data elements described in detail and documented?

Yes

a. If yes, what is the name of the document that contains this information and where is it located?

NRC Jira

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?

N/A

b. How will aggregated data be validated for relevance and accuracy?

N/A

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

N/A

6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

Information will be retrieved from EPM through the following four methods:

PIA Template (04-2019) Page 8 of 18

  • Report Outputs (Task Level Summary - No Individual Information).
  • Management reports which will show project completion of tasks.
  • Project Web Access Project Views (Role Based Access Controls). Logic only allows staff to access assigned tasks.
  • Microsoft Project Professional (Local Desktop - Limited Access for NRO and OCIO staff). Allows loading/modifying of project schedules.
a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

No information will be retrieved by an individuals name or personal identifier.

7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

No

a. If Yes, provide name of SORN and location in the Federal Register.
8. If the information system is being modified, will the SORN(s) require amendment or revision?

N/A

9. Will this system provide the capability to identify, locate, and monitor (e.g.,

track, observe) individuals?

No

a. If yes, explain.

N/A (1) What controls will be used to prevent unauthorized monitoring?

N/A

10. List the report(s) that will be produced from this system.

The data in the EPM tool produces NRR operational reports, NRR management reports and dashboards, and NRR project health reports and dashboards.

a. What are the reports used for?

The data in the EPM system is used to produce reports used for several different functions. Some of the reports are used by NRR staff for operational planning and resource scheduling decisions; other reports are PIA Template (04-2019) Page 9 of 18

used to inform NRR management as to the status of project milestones, issues and risks; still others are used to show the project health using earned value management principles

b. Who has access to these reports?

Running of reports is limited to NRC staff supporting the New Reactor Program, Operating Reactor Program, NRC contractors, and the OCIO Database administrator.

D. ACCESS TO DATA

1. Access to EPM data will be limited to NRC staff supporting the New Reactor Program, contractors, and the OCIO Database administrator.
a. For what purpose?

NRC staff and contractors will be provided discretionary access to information contained within EPM based on their role and reactor review responsibilities and activities within NRC. OCIO Database Administration staff will require access to EPM data in order to develop, support, and troubleshoot proposed interfaces with the EPM.

a. Will access be limited?

Yes

2. Will other NRC systems share data with or have access to the data in the system?

Yes

a. If yes, identify the system(s).

Yes, EPM would have an interface with the RRPS, EDMS, CACs, HRMS, Primavera, and with MAP systems.

b. How will the data be transmitted or disclosed?

EPM uses SQL server jobs to execute a SQL Server Integration Services (SSIS) packages to extract data from the source systems listed above and insert it into the NRC Datawarehouse.

3. Will external organizations have access to data in the system?

No

a. If yes, who?

N/A PIA Template (04-2019) Page 10 of 18

b. Will access be limited?

N/A

c. What data will be accessible and for what purpose/use?

N/A

d. How will the data be transmitted or disclosed?

N/A E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 U.S.C., 36 CFR). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management (RIM) and NARAs Universal Electronic Records Management (ERM) requirements, and if a strategy is needed to ensure compliance.

1. Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule(NUREG-0910), or NARAs General Records Schedules?

This system will need to be scheduled; therefore, NRC records personnel will need to work with staff to develop a records retention and disposition schedule for records created or maintained. Until the approval of such schedule, these records and information are permanent. Their willful disposal or concealment (and related offenses) is punishable by fine or imprisonment, according to 18 U.S.C., Chapter 101, and Section 2071. Implementation of retention schedules is mandatory under 44 U.S.

3303a (d), and although this does not prevent further development of the project, retention functionality or a manual process must be incorporated to meet this requirement. NRC records personnel will need to work with staff to develop a records retention and disposition schedule for records created or maintained. At this time, some information and records could be applicable under the NRC records schedule (NUREG 0910, 2005) under the Office of Nuclear Reactor Regulation (NRR).

Reference:

Project Records (NARA) According to NARA, records relating to specific systems that support or document mission goals are not covered by a General PIA Template (04-2019) Page 11 of 18

Records Schedule (GRS) and must be scheduled individually by the agency by submission of a records schedule to NARA.

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).
  • For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?
b. If no, please contact the Records and Information Management (RIM) staff at ITIMPolicy.Resource@nrc.gov.

EPM systems are built on the MS SharePoint platform, and housed in a SharePoint Farm, which includes SQL Server databases, where the data is stored. Those SQL Server databases, and the records they contain, are required for at least as long as the EPM systems are used within NRC.

2. Would these records be of value to another organization or entity at some point in time? Please explain.

It is possible that an oversight, auditing or investigative organization could ask for EPM records.

3. How are actions taken on the records? For example, is new data added or updated by replacing older data on a daily, weekly, or monthly basis?

Some records might be updated several times in a day, while others might be updated infrequently, but still be accessed on a regular basis. Regardless, all systems databases are backed up on a nightly basis.

4. What is the event or action that will serve as the trigger for updating, deleting, removing, or replacing information in the system? For example, does the information reside in the system for three years after it is created and then is it deleted?

End users update (database) records within EPM systems in response to deadlines or receiving actionable information. Users might update schedules, add inspection notes, indicate ITAAC verifications, remove contacts, etc. from respective systems.

These changes are saved to the database as users move from field to field within their applications. The databases are backed up on a nightly basis. Back up sets are continuously updated. There is no provision to archive obsolete versions of the databases.

5. Is any part of the record an output, such as a report, or other data placed in ADAMS or stored in any other location, such as a shared drive or MS PIA Template (04-2019) Page 12 of 18

SharePoint?

EPM systems are built on a SharePoint platform. This means all EPM data, data elements, fields, summary metadata, etc., are inherently stored in SharePoint, and can be used in standard or custom reports. Data could also be incorporated into charts, dashboards or queries. This information is sometimes embedded into Agency documents.

6. Does this system allow for the deletion or removal of records no longer needed and how will that be accomplished?

Yes, all EPM applications support deleting records. In addition, fields, tables, databases, test instances and/or the data they contain can be deleted as systems are modified, updated or retired. These functions, like all system changes, are planned, discussed, documented and submitted to the Agencys Change Control Board as NRC policy dictates.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g.,

passwords).

EPM relies on the Microsoft Windows Server, Project Server, SQL Server, and SharePoint security policies and access rights to protect EPM data from unauthorized access, use, or modification. Additionally, EPM inherits access controls and permissions from the Office of the Chief Information Officer (OCIO)

Information Technology Infrastructure (ITI) General Support System and Data Center Services (DCS).

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

EPM will rely on agency rules of behavior to ensure proper information usage by individuals that have been granted access. Role-based access controls within EPM also limits misuse of data.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes

  • If yes, where?

Each EPM application has supporting documentation, which includes the following:

  • System Requirements Specification (SRS)

PIA Template (04-2019) Page 13 of 18

  • Reporting System Requirements Specification (SRS)
  • Data Dictionary
  • Security Model
  • Users Manual
  • Quick Reference Card.

Information regarding access is documented in the following:

  • NRC Licensing Program Plan (LPP)
  • EPM System Requirements Specification (SRS)
  • EPM System Security Plan (SSP).
4. Will the system be accessed or operated at more than one location (site)?

No

1. If yes, how will consistent use be maintained at all sites?

N/A

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

EPM access is limited to Data Center Services system administrators, NRO staff Schedulers, and select OCIO support staff to assist in EPM operation and maintenance.

6. Will a record of their access to the system be captured?

Yes

1. If yes, what will be collected?

Yes, access to the servers will be recorded in server security logs.

7. Will contractors be involved with the design, development, or maintenance of the system?

Yes, contractors with access to NRC network will be granted access upon request of the responsible office.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.

PIA Template (04-2019) Page 14 of 18

  • FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
  • PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.
8. What auditing measures and technical safeguards are in place to prevent misuse of data?

Access to the servers will be recorded in server application, security, and system logs.

9. Is the data secured in accordance with FISMA requirements?

Yes

1. If yes, when was Certification and Accreditation last completed?

EPM first obtained its Authorization to Operate (ATO) on August 1, 2010, as documented in ML102010109. The system currently resides under the ITI boundary.

PIA Template (04-2019) Page 15 of 18

PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMS/ISB Staff)

System Name: Enterprise Project Management System Submitting Office: Office of the Chief Information Officer (OCIO)

A. PRIVACY ACT APPLICABILITY REVIEW X Privacy Act is not applicable.

Privacy Act is applicable.

Comments:

EPM will allow management to assign and track the status/completion of tasks, plan projected workloads. The focus on hours is not who performed the work/task, but the amount of staff hours required to complete the work or task. Information will NOT be retrieved by an individuals name or personal identifier.

Reviewers Name Title Date Sally A. Hardy Privacy Officer 2/3/2020 B. INFORMATION COLLECTION APPLICABILITY DETERMINATION X No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

Reviewers Name Title Date David Cullison Agency Clearance Officer 1/21/2020 PIA Template (04-2019) Page 16 of 18

C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

Additional information is needed to complete assessment.

X Needs to be scheduled.

Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Date Marna B. Dove Sr. Program Analyst, Electronic Records Manager 1/30/2020 D. BRANCH CHIEF REVIEW AND CONCURRENCE X This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

/RA/ Date February 4, 2020 Anna T. McGowan, Chief Information Services Branch Governance & Enterprise Management Services Division Office of the Chief Information Officer PIA Template (04-2019) Page 17 of 18

TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: David Nelson, CIO, Office of the Chief Information Officer Name of System: Enterprise Project Management System Date ISB received PIA for review: Date ISB completed PIA review:

January 7, 2020 February 3, 2020 Noted Issues:

Information is not retrieved by an individuals name or personal identifier.

Anna T. McGowan, Chief Signature/Date:

Information Services Branch Governance & Enterprise Management

/RA/ February 4, 2020 Services Division Office of the Chief Information Officer Copies of this PIA will be provided to:

Thomas Ashley, Director IT Services Development & Operation Division Office of the Chief Information Officer Jonathan Feibus Chief Information Security Officer (CISO)

Governance & Enterprise Management Services Division Office of the Chief Information Officer PIA Template (04-2019) Page 18 of 18