Download:
pdf |
pdfVersion Number: 01-2021
U.S. Department of Commerce
National Oceanic & Atmospheric Administration
Privacy Impact Assessment
For the
NOAA4020
Science and Technology (S&T) Silver Spring
Reviewed by:
Mark H. Graff
, Bureau Chief Privacy Officer
܆Concurrence
C
of Senior Agency Official for Privacy/DOC Chief Privacy Officer
܆Non-concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer
GRAFF.MARK.HYRUM.1514447892
Digit
Digitally signed by GRAFF.MARK.HYRUM.1514447892
Date: 2
2023.01.04 16:25:58 -05'00'
GRAFF.MARK.HYRUM.1514447892
Digitally signed by GRAFF.MARK.HYRUM.1514447892
Date: 2023.01.04 16:26:25 -05'00'
Signature of Senior Agency Official for Privacy/DOC Chief Privacy Officer
(Or the BCPO if this is an existing system that is eligible for an annual certification)
Date
�Version Number: 01-2021
U.S. Department of Commerce Privacy Impact Assessment
NOAA/NMFS/Science and Technology (S&T)
Unique Project Identifier: NOAA4020
Introduction: System Description
Provide a brief description of the information system.
The NOAA4020 Science and Technology (S&T) system functions as a general data
processing system for NOAA and NMFS headquarters located in Silver Spring, MD. It
provides resources to support scientific operations and research, data and information
management, fisheries surveys, statistical analysis, stock assessments, socio-economic
analysis, ecosystem management, other national program database and applications
development, and management decisions needs. The user base of this system reaches
across different headquarter offices and across regions and science centers within NMFS.
Many of these automated systems are built in support of the NOAA Fisheries mission.
NOAA4020 does not collect SSN information.
1) International Trade Data System (ITDS)
ST6 International Trade Data System (ITDS) is used to support a number of NMFS
offices/programs to monitor imports of fisheries products. Types of BII data collected
are name of business, address, contact information, and product information. The
data is collected by U.S. Customs and Border Protection (CBP) and provided to
NMFS via SFTP for inclusion in the ITDS database. Reasons for the NMFS
database:
(1) The ITDS is an inter-agency, distributed system that allows businesses to submit
trade data to a single agency (CBP). CBP then makes these data available to
participating ITDS agencies via secure, system integration.
(2) The NMFS component of the ITDS is an import monitoring system designed to
improve the efficiency and accuracy of NMFS trade monitoring programs by
utilizing the data and services provided by CBP via the national ITDS
architecture. NMFS trade monitoring programs supported by the NMFS ITDS
include the Antarctic Marine Living Resources (AMLR) program, the Highly
Migratory Species (HMS) program, the Seafood Import Monitoring Program
(SIMP), and the Tuna Tracking Verification Program (TTVP). The NMFS
ITDS is also integrated with the NMFS National Permit System (NPS) to
provide international trade permit data to NMFS trade monitoring programs
and to CBP.
2
�Version Number: 01-2021
2) Marine Recreational Information Program (MRIP) Extract, Transform and Load
(ETL)
The Marine Recreational Information Program (MRIP) Extract, Transform and Load
(ETL) system is a tool to collect and process recreational saltwater fishing license and
registration data from the Atlantic and Gulf of Mexico coastal states for inclusion in
the National Saltwater Angler Registry (NSAR).Types of PII collected include fishing
license information, name, address, driver’s license number, phone, email, and date of
birth.
This section was changed to improve the clarity and accuracy of the text. Nothing
significant changed on any of these applications. This does not impact our overall
privacy risk as far as being a moderate FISMA system.
3) National Saltwater Angler Registry - NSAR
The National Saltwater Angler Registry (NSAR) system serves as a consolidated
phone book of the nation’s recreational saltwater anglers. NSAR data is used to
furnish frames for the MRIP surveys. Types of PII collected include fishing license
information, name, address, driver’s license number, phone, email, and date of birth.
The following applications have been moved from NOAA4020 to NOAA4000 as of
October 2021.
4) NOAA Fisheries Committee on Scientific Stature.
5) Protected Resources National Inventory of Marine Mammals (NIMM) System.
6) NOAA Emergency Contact List
Provide a description of the system that addresses the following elements:
The response must be written in plain language and be as comprehensive as necessary to describe the system.
(a) Whether it is a general support system, major application, or other type of system
The NOAA4020 Science and Technology (S&T) system is a general support system for NMFS
headquarters.
3
�Version Number: 01-2021
(b) System location
NOAA4020 NOAA Data Center located in Silver Spring, MD. NOAA4020 has only one location.
(c) Whether it is a standalone system or interconnects with other systems (identifying and
describing any other systems to which it interconnects)
NOAA4020 is a subsystem of NOAA4000.
(d) The way the system operates to achieve the purpose(s) identified in Section 4
NOAA4020 provides application servers, database servers, proxy servers, file servers, and sftp
servers to achieve its purpose. The data is hosted on the servers located inside the NMFS firewalls
and made available to trusted entities using secured protocols such as HTTPS and TLS.
(e) How information in the system is retrieved by the user
NOAA users’ login to the web based application within NOAA. External users access the
information via public-facing, web-accessible applications and web sites.
(f) How information is transmitted to and from the system
The information is transmitted within NMFS via Local and Wide area Networks using secure
connections. Information is transmitted to external users through secure internet connections.
(g) Any information sharing conducted by the system
The NOAA4020 system shares data with various NOAA internal and external systems. These
relationships are documented in Interconnect Security Agreements (ISAs). We also share
data with NOAA internal and external individuals and organizations on a per request basis
subject to data request procedures specific to each data set.
(h) The specific programmatic authorities (statutes or Executive Orders) for collecting,
maintaining, using, and disseminating the information
4
�Version Number: 01-2021
Magnuson-Stevens Fishery Conservation and Management Act, 16 U.S.C. 1801 et seq.
(Magnuson-Stevens Act); High Seas Fishing Compliance Act of 1995, 16 U.S.C. 5501 et seq.;
International Fisheries Regulations: Vessels of the United States Fishing in Colombian Treaty
Waters, 50 CFR 300.120; the American Fisheries Act, Title II, Public Law 105-277; the
Atlantic Coastal Fisheries Cooperative Management Act of 1993, 16 U.S.C. 5101-5108, as
amended 1996; the Tuna Conventions Act of 1950, 16 U.S.C. 951-961; the Atlantic Tunas
Convention Authorization Act, 16 U.S.C., Chapter 16A; the Northern Pacific Halibut Act of
1982, 16 U.S.C. 773 et seq. (Halibut Act); the Antarctic Marine Living Resources Convention
Act of 1984, 16 U.S.C. 2431-2444; the Western and Central Pacific Fisheries Convention
Implementation Act, 16 U.S.C. 6901 et seq. (WCPFCIA); the Marine Mammal Protection Act,
16 U.S.C. 1361; and Taxpayer Identifying Number, 31 U.S.C. 7701.
Title XI of the Merchant Marine Act of 1936 as amended and codified, 46 U.S.C. 1177 and 46
U.S.C. 53701 et seq., and provisions of the Debt Collection Improvement Act as codified at 31
U.S.C. 7701.
5 U.S.C. 301; 44 U.S.C. 3101; E.O. 12107, E.O. 13164, 41 U.S.C. 433(d); 5 U.S.C. 5379; 5 CFR
Part 537; DAO 202-957; E.O. 12656; Federal Preparedness Circular (FPC) 65, July 26, 1999;
DAO 210-110; Executive Order 12564; Public Law 100-71, dated July 11, 1987.
Executive Orders 10450, 11478, 12065, 5 U.S.C. 7531-332; 15 U.S.C. 1501 et. seq.; 28 U.S.C.
533-535; 44 U.S.C. 3101; and Equal Employment Act of 1972. Types of PII data collected is
Contact Name, Phone Number and Address.
(i) The Federal Information Processing Standards (FIPS) 199 security impact category for the
system
This is a FIPS 199 moderate level system.
5
�Version Number: 01-2021
Section 1: Status of the Information System
1.1
Indicate whether the information system is a new or existing system.
This is a new information system.
This is an existing information system with changes that create new privacy risks.
(Check all that apply.)
Changes That Create New Privacy Risks (CTCNPR)
a. Conversions
d. Significant Merging
g. New Interagency Uses
e. New Public Access
b. Anonymous to Nonh. Internal Flow or
Anonymous
Collection
c. Significant System Management
f. Commercial Sources
i. Alteration in Character
Changes
of Data
j.� Other changes that create new privacy risks (specify):
6HYHUDO�DSSOLFDWLRQV�KDYH�EHHQ�UHPRYHG�IURP�12$$�����WR�12$$�����DV�12$$�����LV�LQ�WKH�SURFHVV�RI�
EHLQJ�GHFRPPLVVLRQHG�
This is an existing information system in which changes do not create new privacy
risks, and there is not a SAOP approved Privacy Impact Assessment.
X
This is an existing information system in which changes do not create new privacy risks, and
there is a SAOP approved Privacy Impact Assessment.
Section 2: Information in the System
2.1
Indicate what personally identifiable information (PII)/business identifiable information
(BII) is collected, maintained, or disseminated. (Check all that apply.)
Identifying Numbers (IN)
a. Social Security*
f.
b. Taxpayer ID
g.
c Employer ID
h.
d. Employee ID
i.
e. File/Case ID
n. Other identifying numbers (specify):
Driver’s License
Passport
Alien Registration
Credit Card
X
j. Financial Account
k. Financial Transaction
l. Vehicle Identifier
m Medical Record
*Explanation for the business need to collect, maintain, or disseminate the Social Security number, including
truncated form:
General Personal Data (GPD)
a. Name
b. Maiden Name
c. Alias
X
h. Date of Birth
i. Place of Birth
j. Home Address
6
X
X
o. Financial Information
p. Medical Information
q. Military Service
X
�Version Number: 01-2021
d.
e.
f.
g.
u.
Gender
k. Telephone Number
Age
l. Email Address
Race/Ethnicity
m. Education
Citizenship
n. Religion
Other general personal data (specify):
Work-Related Data (WRD)
a. Occupation
b. Job Title
c.
Work Address
d. Work Telephone
Number
X
X
Work Email Address
Salary
X
X
e.
f.
X
g.
Work History
X
X
h.
X
r. Criminal Record
s. Marital Status
t. Mother’s Maiden Name
i.
j.
Business Associates
Proprietary or Business
Information
k. Procurement/contracting
records
Employment
Performance Ratings
or other Performance
Information
l.� Other work-related data (specify):12$$�����GRVH�QRW�FROOHFW�+5�'DWD��WKH�$SSOLFDWLRQ�KDV�EHHQ�
PRYHG�WR�12$$������ZKLFK�KDV�+5�'DWD�
Distinguishing Features/Biometrics (DFB)
a. Fingerprints
f. Scars, Marks, Tattoos
b. Palm Prints
g. Hair Color
c. Voice/Audio Recording
h. Eye Color
d. Video Recording
i. Height
e. Photographs
j. Weight
p. Other distinguishing features/biometrics (specify):
System Administration/Audit Data (SAAD)
X
a. User ID
c. Date/Time of Access
X
b. IP Address
f. Queries Run
g. Other system administration/audit data (specify):
k.
l.
m.
n.
o.
X
X
Signatures
Vascular Scans
DNA Sample or Profile
Retina/Iris Scans
Dental Profile
e. ID Files Accessed
f. Contents of Files
X
X
Other Information (specify)
2.2
Indicate sources of the PII/BII in the system. (Check all that apply.)
Directly from Individual about Whom the Information Pertains
In Person
Hard Copy: Mail/Fax
Telephone
Email
7
Online
X*
�Version Number: 01-2021
Other (specify):
*For the ECL
Government Sources
Within the Bureau
State, Local, Tribal
Other (specify):
X
X
Non-government Sources
Public Organizations
Third Party Website or Application
Other (specify):
Other DOC Bureaus
Foreign
Private Sector
X
Other Federal Agencies
X
Commercial Data Brokers
X
2.3 Describe how the accuracy of the information in the system is ensured.
The web applications used to collect information contain various front-end and back-end
validations to check for accuracy. Data that are not collected directly from the subject of
the information are run through various quality control procedures, including format and
content validation and standardization. In some cases data are reconciled against other
data sets to check for data errors or updates.
In addition, various controls are in place to ensure that only those who are authorized and
have a need to modify the data are able to so.
The general controls used to protect the PII involve controlled physical and logical
access, role based access control, proper data segmentation and protection via encryption
at rest and proper audit logging of events. Adequate media marking, transport and
storage and incident monitoring and response are also used.
The levels of implementation for these technologies meet the criteria required by NIST
800-53, Rev 4 under the following controls: Access Enforcement (AC-3), Separation of
Duties (AC-5), Least Privilege (AC-6), Remote Access (AC-17), User-Based
Collaboration and Information Sharing (AC-21). , Auditable Events (AU-2), Audit
Review, Analysis, and Reporting (AU-6), Identification and Authentication
(Organizational Users) (IA-2), Media Access (MP-2) , Media Marking (MP-3), Media
Storage (MP-4), Media Transport (MP-5), Media Sanitization (MP-6), Transmission
Confidentiality (SC-9), Protection of Information at Rest (SC-28), Information System
Monitoring (SI-4).
In addition to following database CIS benchmarks and best practices, all Oracle tables that
contain PII/BII data are stored in an encrypted tablespace.
8
�Version Number: 01-2021
2.4 Is the information covered by the Paperwork Reduction Act?
X
Yes, the information is covered by the Paperwork Reduction Act.
Provide the OMB control number and the agency number for the collection.
0648-0578, -0642, -0380, -0018, -0593, -0709, -0651, -0781, -0659, -0335, -0732, -0793
No, the information is not covered by the Paperwork Reduction Act.
2.5 Indicate the technologies used that contain PII/BII in ways that have not been previously
deployed. (Check all that apply.)
Technologies Used Containing PII/BII Not Previously Deployed (TUCPBNPD)
Smart Cards
Biometrics
Caller-ID
Personal Identity Verification (PIV) Cards
Other (specify):
There are not any technologies used that contain PII/BII in ways that have not been previously deployed.
X
Section 3: System Supported Activities
3.1
Indicate IT system supported activities which raise privacy risks/concerns. (Check all that
apply.)
Activities
Audio recordings
Video surveillance
Other (specify):
X
Building entry readers
Electronic purchase transactions
There are not any IT system supported activities which raise privacy risks/concerns.
Section 4: Purpose of the System
4.1
Indicate why the PII/BII in the IT system is being collected, maintained, or disseminated.
(Check all that apply.)
Purpose
For a Computer Matching Program
For administrative matters
For litigation
For civil enforcement activities
To improve Federal services online
For web measurement and customization
technologies (single-session)
X
X
X
X
X
9
For administering human resources programs
To promote information sharing initiatives
For criminal law enforcement activities
For intelligence activities
For employee or customer satisfaction
For web measurement and customization
technologies (multi-session)
X
�Version Number: 01-2021
Other (specify):
To maintain databases for tracking international seafood trading tracking and angler registration.
Section 5: Use of the Information
5.1
In the context of functional areas (business processes, missions, operations, etc.) supported
by the IT system, describe how the PII/BII that is collected, maintained, or disseminated
will be used. Indicate if the PII/BII identified in Section 2.1 of this document is in
reference to a federal employee/contractor, member of the public, foreign national, visitor
or other (specify).
International Trade Data System (ITDS)
ST6 International Trade Data System (ITDS) is used to support a number of NMFS
offices/programs to monitor imports of fisheries products. Types of BII data collected include
name of business, address, contact information, and product information. The data is collected
from U.S. Customs and Border Protection.
MRIP ETL
The Marine Recreational Information Program (MRIP) Extract, Transform and Load (ETL)
system is a tool to collect and process recreational saltwater fishing license and registration
data from Atlantic and Gulf of Mexico coastal states for inclusion in the National Saltwater
Angler Registry (NSAR). Types of PII collected include fishing license information, name,
address, driver’s license number, phone, email, and date of birth of the angler. The MRIP
ETL collects data from the NSAR, below.
National Saltwater Angler Registry - NSAR
The National Saltwater Angler Registry (NSAR) system serves as a consolidated phone book
of the nation’s recreational saltwater anglers. NSAR data is used to furnish frames for the
MRIP surveys. Types of PII collected include fishing license information, name, address,
driver’s license number, phone, email, and date of birth. The NSAR is only applicable to
anglers ages 16 and older. The date of birth is used for validation of this requirement.
5.2
Describe any potential threats to privacy, such as insider threat, as a result of the
bureau’s/operating unit’s use of the information, and controls that the bureau/operating
unit has put into place to ensure that the information is handled, retained, and disposed
appropriately. (For example: mandatory training for system users regarding appropriate
handling of information, automatic purging of information in accordance with the
retention schedule, etc.)
10
�Version Number: 01-2021
There is always the potential threat to privacy due to insider threat, but this threat is
greatly mitigated by the controls we have in place.
All staff, federal employees and contractors, are required to take annual IT Security
Awareness and Privacy Training.
Dissemination of PII/BII is subject to controls in place to restrict access to only those who
need access to the data. Everyone who does have access to the data must provide signed
copies of the NOAA Administrative Order 216-100 Data Confidentiality form, including the
Statement of Nondisclosure.
If the data is to be shared with an external organization (e.g., contracting company or
university) then a representative of the external organization must complete the
Agreement of Access form and each representative of the external organization who
will be accessing the data will have to provide a signed Certificate.
There are also various controls in place to ensure that only those who are authorized and
have a need to modify the data are able to so.
The general controls used to protect the PII involve controlled physical and logical
access, role based access control, proper data segmentation and protection via
encryption at rest and proper audit logging of events. Adequate media marking,
transport and storage and incident monitoring and response are also used.
The levels of implementation for these technologies meet the criteria required by NIST 80053, Rev 4 under the following controls: Access Enforcement (AC-3), Separation of Duties
(AC-5), Least Privilege (AC-6), Remote Access (AC-17), User-Based Collaboration and
Information Sharing (AC-21). , Auditable Events (AU-2), Audit Review, Analysis, and
Reporting (AU-6), Identification and Authentication (Organizational Users) (IA-2), Media
Access (MP-2) , Media Marking (MP-3), Media Storage (MP-4), Media Transport (MP-5),
Media Sanitization (MP-6), Transmission Confidentiality (SC-9), Protection of Information at
Rest (SC-28), Information System Monitoring (SI-4).
In addition to following database CIS benchmarks and best practices, all Oracle tables that
contain PII/BII data are stored in an encrypted tablespace.
Section 6: Information Sharing and Access
6.1
Indicate with whom the bureau intends to share the PII/BII in the IT system and how the
PII/BII will be shared. (Check all that apply.)
Recipient
Case-by-Case
Within the bureau
How Information will be Shared
Bulk Transfer
Direct Access
;
11
�Version Number: 01-2021
DOC bureaus
Federal agencies
State, local, tribal gov’t agencies
Public
Private sector
Foreign governments
Foreign entities
Other (specify):
X*
X*
*In case of breach
The PII/BII in the system will not be shared.
6.2
Does the DOC bureau/operating unit place a limitation on re-dissemination of PII/BII
shared with external agencies/entities?
X
Yes, the external agency/entity is required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
No, the external agency/entity is not required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
No, the bureau/operating unit does not share PII/BII with external agencies/entities.
6.3
Indicate whether the IT system connects with or receives information from any other IT
systems authorized to process PII and/or BII.
X
Yes, this IT system connects with or receives information from another IT system(s)
authorized to process PII and/or BII.
Provide the name of the IT system and describe the technical controls which prevent PII/BII leakage:
NOAA4020 connects with NOAA4000. Technical boundary controls are in place to prevent BII
leakage. NOAA4020 consists of servers that support the development and deployment of application
offerings that facilitate the provision of mission related services to the general public, authorized
organizational and non-organizational users. NOAA4000 provides general support system (GSS, i.e.
LAN/WAN network connectivity) services to NOAA4020.
No, this IT system does not connect with or receive information from another IT system(s) authorized
to process PII and/or BII.
6.4
Identify the class of users who will have access to the IT system and the PII/BII. (Check
all that apply.)
Class of Users
General Public
Contractors
Other (specify):
Government Employees
X
12
X
�Version Number: 01-2021
Section 7: Notice and Consent
7.1
Indicate whether individuals will be notified if their PII/BII is collected, maintained, or
disseminated by the system. (Check all that apply.)
X
X
X
Yes, notice is provided pursuant to a system of records notice published in the Federal Register and
discussed in Section 9.
Yes, notice is provided by a Privacy Act statement and/or privacy policy. The Privacy Act statement
and/or privacy policy can be found at:
NSAR: https://www.st.nmfs.noaa.gov/nnri/
The ECL PAS: Site not available to non-NOAA staff. A screen shot with the PAS is included in the
cover email for this PIA.
.
Yes, notice is provided by other means. Specify how:
No, notice is not provided.
7.2
ITDS: The data is collected from the U.S. Customs and Border
Protection’s ITDS database, who provides notice at the time of
collection.
Specify why not:
Indicate whether and how individuals have an opportunity to decline to provide PII/BII.
X
Yes, individuals have an opportunity to
decline to provide PII/BII.
Specify how:
ITDS: the NMFS ITDS is not the original point of collection.
NSAR: The individual will not register if he wishes to decline.
No, individuals do not have an
opportunity to decline to provide
PII/BII.
7.3
MRIP ETL: No data collected directly by the system.
Specify why not:
Indicate whether and how individuals have an opportunity to consent to particular uses of
their PII/BII.
X
Yes, individuals have an opportunity to
consent to particular uses of their
PII/BII.
Specify how:
ITDS: the NMFS ITDS is not the original point of collection.
NSAR: Anglers may choose not to register. There is no option
to register and opt out of the survey. An angler may decline
respond to the survey if contacted.
MRIP ETL: No data collected directly by the system.
13
�Version Number: 01-2021
No, individuals do not have an
Specify why not:
opportunity to consent to particular uses
of their PII/BII.
7.4
Indicate whether and how individuals have an opportunity to review/update PII/BII
pertaining to them.
X
Yes, individuals have an opportunity to
review/update PII/BII pertaining to
them.
Specify how:
ITDS: the NMFS ITDS is not the original point of collection.
NSAR: Information may be updated at the time of registration
renewal.
No, individuals do not have an
opportunity to review/update PII/BII
pertaining to them.
MRIP ETL: No data collected directly by the system.
Specify why not:
Section 8: Administrative and Technological Controls
8.1
Indicate the administrative and technological controls for the system. (Check all that
apply.)
X
X
X
X
X
All users signed a confidentiality agreement or non-disclosure agreement.
All users are subject to a Code of Conduct that includes the requirement for confidentiality.
Staff (employees and contractors) received training on privacy and confidentiality policies and practices.
Access to the PII/BII is restricted to authorized personnel only.
Access to the PII/BII is being monitored, tracked, or recorded.
Explanation: Audit log
X
The information is secured in accordance with the Federal Information Security Modernization Act
(FISMA) requirements.
Provide date of most recent Assessment and Authorization�(A&A): 0���������
�܆This is a new system. The A&A date will be provided when the A&A package is�approved.
The Federal Information Processing Standard (FIPS) 199 security impact category for this system is a
moderate or higher.
NIST Special Publication (SP) 800-122 and NIST SP 800-53 Revision 4 Appendix J recommended
security controls for protecting PII/BII are in place and functioning as intended; or have an approved Plan
of Action and Milestones (POA&M).
A security assessment report has been reviewed for the information system and it has been determined
that there are no additional privacy risks.
Contractors that have access to the system are subject to information security provisions in their contracts
required by DOC policy.
Contracts with customers establish DOC ownership rights over data including PII/BII.
Acceptance of liability for exposure of PII/BII is clearly defined in agreements with customers.
Other (specify):
X
X
X
X
8.2
Provide a general description of the technologies used to protect PII/BII on the IT system.
(Include data encryption in transit and/or at rest, if applicable).
14
�Version Number: 01-2021
The general controls used to protect the PII in these applications, involve controlled
physical and logical access: role based access control, proper data segmentation and
protection via encryption at rest and proper audit logging of events. Adequate media
marking, transport and storage and incident monitoring and response are also used.
The levels of implementation for these technologies meet the criteria required by NIST
800-53, Rev 4 under the following controls: Access Enforcement (AC-3), Separation of
Duties (AC-5), Least Privilege (AC-6), Remote Access (AC-17), User-Based
Collaboration and Information Sharing (AC-21). , Auditable Events (AU-2), Audit
Review, Analysis, and Reporting (AU-6), Identification and Authentication
(Organizational Users) (IA-2), Media Access (MP-2), Media Marking (MP-3), Media
Storage (MP-4), Media Transport (MP-5), Media Sanitization (MP-6), Transmission
Confidentiality (SC-9), Protection of Information at Rest (SC-28), Information System
Monitoring (SI-4).
In addition to following database CIS benchmarks and best practices, all Oracle tables that
contain PII/BII data are stored in an encrypted tablespace.
Section 9: Privacy Act
9.1
Is the PII/BII searchable by a personal identifier (e.g., name or Social Security number)?
X
Yes, the PII/BII is searchable by a personal identifier.
No, the PII/BII is not searchable by a personal identifier.
9.2
Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. §
552a. (A new system of records notice (SORN) is required if the system is not covered by
an existing SORN).
As per the Privacy Act of 1974, “the term ‘system of records’ means a group of any records under the control of any agency from which
information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned
to the individual.”
X
Yes, this system is covered by an existing system of records notice (SORN).
Provide the SORN name, number, and link. (list all that apply):
12$$�����3HUPLWV�DQG�5HJLVWUDWLRQV�IRU�8QLWHG�6WDWHV�)HGHUDOO\�5HJXODWHG�)LVKHULHV�
&200(5&(�'(37�����$FFHVV�&RQWURO�DQG�,GHQWLW\�0DQDJHPHQW�6\VWHP�
12$$�����3URYLGLQJ�,QIRUPDWLRQ�UHODWHG�WR�12$$
V�0LVVLRQ
&200(5&(�'(37�����,QYHVWLJDWLYH�DQG�6HFXULW\�5HFRUGV�
Yes, a SORN has been submitted to the Department for approval on (date).
No, this system is not a system of records and a SORN is not applicable.
Section 10: Retention of Information
10.1 Indicate whether these records are covered by an approved records control schedule and
monitored for compliance. (Check all that apply.)
15
�Version Number: 01-2021
X
There is an approved record control schedule.
Provide the name of the record control schedule:
Chapter 1500 – Fishery and Living Marine Resource Functional Files
ECL: DAA-GRS- 2013-0006-003. Disposition instruction: Temporary. Destroy when business need
ceases.
No, there is not an approved record control schedule.
Provide the stage in which the project is in developing and submitting a records control schedule:
X
Yes, retention is monitored for compliance to the schedule.
No, retention is not monitored for compliance to the schedule.
Provide explanation: We are not currently monitoring compliance as we are in the process of reconciling
our records management policy with our data management policies to ensure that the records management
policy is comprehensive and accurate.
10.2 Indicate the disposal method of the PII/BII. (Check all that apply.)
Disposal
Shredding
Degaussing
Other (specify):
X
X
Overwriting
Deleting
X
X
Section 11: NIST Special Publication 800-122 PII Confidentiality Impact Level
11.1 Indicate the potential impact that could result to the subject individuals and/or the
organization if PII were inappropriately accessed, used, or disclosed. (The PII
Confidentiality Impact Level is not the same, and does not have to be the same, as the
Federal Information Processing Standards (FIPS) 199 security impact category.)
X
Low – the loss of confidentiality, integrity, or availability could be expected to have a limited adverse
effect on organizational operations, organizational assets, or individuals.
Moderate – the loss of confidentiality, integrity, or availability could be expected to have a serious
adverse effect on organizational operations, organizational assets, or individuals.
High – the loss of confidentiality, integrity, or availability could be expected to have a severe
or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
11.2 Indicate which factors were used to determine the above PII confidentiality impact level.
(Check all that apply.)
X
Identifiability
X
Quantity of PII
Provide explanation:
The PII/BII currently collected and stored presents a moderate
impact of identifiability.
Provide explanation:
Collective harm to individuals, but also harm to the
organization’s reputation and the cost to the organization in
16
�Version Number: 01-2021
addressing a possible breach was considered.
X
Data Field Sensitivity
X
Context of Use
X
Obligation to Protect Confidentiality
X
Access to and Location of PII
Other:
Provide explanation:
Multiple applications contain contact information that are not
considered sensitive PII/BII.
Provide explanation:
The purpose for which PII is collected, stored, used, processed,
disclosed, or disseminated was considered. Whether disclosure
of the mere fact that PII is being collected or used could cause
harm to the organization or individual was considered.
Provide explanation:
Magnuson-Stevens Fishery Conservation and Management Act,
16 U.S.C. 1801, Section 402b.
Provide explanation:
The nature of authorized access to PII - The number and
frequency of access was also considered. The degree to which
PII is being stored on or accessed from teleworkers’ devices or
other systems, such as web applications, outside the direct
control of the organization and whether PII is stored or
regularly transported off-site by employees was considered.
Provide explanation:
Section 12: Analysis
12.1 Identify and evaluate any potential threats to privacy that exist in light of the information
collected or the sources from which the information is collected. Also, describe the
choices that the bureau/operating unit made with regard to the type or quantity of
information collected and the sources providing the information in order to prevent or
mitigate threats to privacy. (For example: If a decision was made to collect less data,
include a discussion of this decision; if it is necessary to obtain information from sources
other than the individual, explain why.)
We collect PII from states for including in the National Saltwater Angler Registry (NSAR).
We collect the information from the states because it is more efficient, cost-effective, and less
burdensome to the public than collecting the information from the individuals. There is some
potential risk in collecting the data from the states, but this risk is greatly mitigated by the
controls we have in place.
Submission is controlled via authenticated, role-based, access to a web application using
secure socket layer (SSL) certificates or via secure file transfer protocol (SFTP) using
private/public key pairs.
PII is encrypted at all time during transmission and while at rest.
12.2 Indicate whether the conduct of this PIA results in any required business process changes.
17
�Version Number: 01-2021
Yes, the conduct of this PIA results in required business process changes.
Explanation:
X
No, the conduct of this PIA does not result in any required business process changes.
12.3 Indicate whether the conduct of this PIA results in any required technology changes.
Yes, the conduct of this PIA results in required technology changes.
Explanation:
X
No, the conduct of this PIA does not result in any required technology changes.
18
�Version Number: 01-2021
Points of Contact and Signatures
Information System Security Officer or
System Owner
Information Technology Security Officer
Name: ,PUDQ�0L\LDQ
Office: Science of Technology
Phone: ������������
Email: ,PUDQ�0L\LDQ#1RDD�JRY
Name: Catherine Amores
Office: Office of the Chief Information Officer
Phone: 301-427-8871
Email: Catherine.Amores@noaa.gov
I certify that this PIA is an accurate representation of the security
controls in place to protect PII/BII processed on this IT system.
I certify that this PIA is an accurate representation of the security
controls in place to protect PII/BII processed on this IT system.
MIYIAN.IMRA
N.YUSAF.140
Date signed: 2714863
Privacy Act Officer
Signature:
Digitally signed by
MIYIAN.IMRAN.YUSAF.1
402714863
Date: 2022.12.16
14:39:15 -05'00'
signed by
AMORES.CATH Digitally
AMORES.CATHERINE.S
ERINE.SOLEDA OLEDAD.1541314390
Date: 2023.01.03 12:01:19
Date signed: D.1541314390 -05'00'
Signature:
Authorizing Official
Name: 5RELQ�%XUUHVV
Office: NOAA OCIO
Phone: ������������
Email:� 5RELQ�%XUUHVV@noaa.gov
Name: Evan Howell
Office: Office of Science and Technology
Phone: 301-427-8123
Email: Evan.Howell@noaa.gov
I certify that the appropriate authorities and SORNs (if applicable)
are cited in this PIA.
I certify that this PIA is an accurate representation of the security
controls in place to protect PII/BII processed on this IT system.
Signature:
Signature:
Date�signed:
Digitally signed by
HOWELL.EVAN.AUBREY
.1365831552
Date: 2022.12.23 08:09:38
-05'00'
.
Bureau Chief Privacy Officer
Name:
Office:
Phone:
Email:
HOWELL.EVA
N.AUBREY.13
Date signed: 65831552
Digitally signed by
BURRESS.ROBIN.SU BURRESS.ROBIN.SURRETT.13658
RRETT.1365847696 47696
Date: 2023.01.05 14:01:45 -05'00'
Mark Graff
NOAA OCIO
301-628-5658
Mark.Graff@noaa.gov
I certify that the PII/BII processed in this IT system is necessary
and this PIA ensures compliance with DOC policy to protect
privacy.
Digitally signed by
GRAFF.MARK.HYRUM.1
Signature:
514447892
Date: 2023.01.04
16:31:37 -05'00'
Date signed:
GRAFF.MARK.
HYRUM.1514
447892
This page is for internal routing purposes and documentation of approvals. Upon final
approval, this page must be removed prior to publication of the PIA.
19
�
| File Type | application/pdf |
| File Title | NOAA4020 PIA 2023-0103.pdf |
| Author | lmartin1 |
| File Modified | 2023-01-11 |
| File Created | 2023-01-11 |