Complete SORN Research

[ctro]

Background Start working on SORN and get moving in the direction of using Open Forest as SORN.

Acceptance criteria

• [x] SORN Research Completed.

Tasks

• [x] @bboddiger to confirm that TIM is a SORN for permitting data
• [x] Learn from FPFS team about their experience with SORNs
• [x] research and document options for SORNs, including OpenForest itself.
• [X] How do we begin to make OpenForest a SORN? Who do we partner with? Beth confirmed that this is Debbie White
• [x] Talk to Debbie White about what we're working on and learn about their SORN process and timeline
• [x] Document tradeoffs around SORN timing
• [X] Double check assumption: SORN is not a Security concern, it is a privacy officer concern
• [X] Get feedback from privacy officer about what data can be used in what ways

  ---

  The two following tasks are no longer needed as it was determined that the OF platform would leverage an existing SORN. Forest Service Security is looking for a viable candidate to use.

• [ ] Get SORN checklist from Deb White
• [ ] All items are complete on SORN checklist

  ---

  Definition of done

• [x] Meets Acceptance Criteria

[MelissaBraxton]

Contacts:

if related to Open Forest Jon Lerner jonathan.lerner@usda.gov if related to NRM Hieu Nguyen hieu.nguyen@usda.gov and/or Debbi White deborah.white3@usda.gov

[csstarling]

With not storing PII in the MVP to meet with frontliner reporting needs. Lets wait on SORN until later development.

[MelissaBraxton]

@bboddiger - I've sketched out possible changes to the roadmap wiki page here to clarify the decisions on how we're handling PII for the MVP and the fact that the Open Forest SORN is slated for the next major release. Feel free to hop in and edit! I'm hoping we can make the wiki updates before Monday as part of closing this issue #84.

@mgwalker - When you've added your "tradeoffs" documentation, let us know!

[MelissaBraxton]

I've updated the wiki page w/ documentation on the SORN need.

[mgwalker]

I've reached out to Debbie White. Will update when I hear back.

[MelissaBraxton]

@mgwalker - @mwreiss is going to add you to a standing mtg they have Debbie every Wed. 7/29.

[MelissaBraxton]

@mwreiss - The meeting that had been scheduled for this mysteriously vanished. Do you know when it will be rescheduled?

[mwreiss]

@MelissaBraxton I resent one for this week, @mgwalker should see an invite.

[mgwalker]

Short term

• Storing permittee data in a CSV stored in Pinyon is viable but it does open a technical can of worms. Pinyon is a SORN and is approved for PII, so we'd just need to update the interconnection agreement and privacy impact assessment (PIA). However, depending on the data, we might need to store it encrypted, which means we'd have to implement key management for access control. We'd also need to answer questions related to how long the data must be stored, what happens if the data is inaccessible, whether there are NARA considerations, etc. Debbie gently discouraged this approach.

• Emailing people their own information may be okay, depending on what information it is. Their name is definitely fine. Their mailing address is a little more iffy, and driver's license number is right out. We need to be careful about not sending information to the wrong email address, though, so we might need an email verification step first.

We need to gather a list of all the information that we might want to put on a permit-by-email and send that to Hieu to send on to the privacy officer for review. That includes name, address, driver's license number, permit number, forest name, etc. That way we can get guidance on what is acceptable and what's not.

Regarding storing files separate from Open Forest, it seems to me like key management for encrypted files alone is a dealbreaker for a November release, any other questions aside. It's a reasonable requirement, but probably not a reasonable timeframe.

Longer term

Getting a SORN basically just requires giving the PIA over to Debbie and team, and they'll take it from there. We can't start the process now, though, because they only look at systems in production. Debbie said they wouldn't consider it if it's pilot because of a lot of other work they have going on right now, but could revisit over the winter.

[MelissaBraxton]

@bboddiger Once we get an answer to the Q on #33, I think @aQuib and @Rebekah-Hernandez can prep material for Deb. I think Deb might need:

1. mock of permittee data entry form/order form
2. mock of what fields will be in the .csv data dump for frontliners
3. Mocks or lists of what info will be included on docs emailed to permittees: permit, load tags, the email itself

[mgwalker]

Deb said she only needed a list of the data, not particular layouts or other content. And then she suggested that once she gets a list of approved data back to us, that could be helpful for designing the layout which I thought was a nice insight. 😄

[MelissaBraxton]

Sounds good! Do you think it's important for her to know which data will be:

1. collected, but dumped (for now)
2. collected and stored
3. emailed to participants

If not, then I'd imagine that @aQuib and @Rebekah-Hernandez could certainly get something to her with little effort.

[mgwalker]

I think she'll need to know about anything we store or email, and the distinction is probably useful too. Anything we store will have its own consequences.

I think at this point I'd advocate for not storing anything for the pilot because a) we can't get a SORN and b) the encryption key management requirement is probably a significant lift. (@mtlaney Feel free to disagree if there's already something in OF that could handle key management.)

[MelissaBraxton]

I think we're still waiting on the list of possible data sent to Deb White. @bboddiger and @csstarling Should we assign @aQuib and @Rebekah-Hernandez to this issue?

[aQuib]

Here are the following mocks (data fields):

permittee data entry form/order form:

• All the fields within the current FS-2400-1 will be used for the MVP. Fields not appropriate for the MVP will simply be blank when the permit is electronically generated (ex. vehicle info etc.)

fields will be in the .csv data dump for frontliners:

• Name
• Address
• City/State
• Zip Code
• Email
• Forest Name
• Permit number
• Issue Date
• Termination Date
• Quantity Sold (cords)
• Permit cost

lists of what info will be included on docs emailed to permittees (as PDF)

• permit (FS-2400-1)
• district maps (if available)
• load tag
• confirmation email

  • Name
  • Email
  • Forest Name
  • Permit number
  • Issue Date
  • Termination Date
  • Quantity Sold (cords)
  • Permit cost

cc @tram @Rebekah-Hernandez @jstrothman

[MelissaBraxton]

Following up on this, was this list emailed to Deb White, @aQuib and/or @Rebekah-Hernandez?

[MelissaBraxton]

@bboddiger - Flagging this for you, since I still don't know if this list has gone to deb or not. cc @aQuib and @Rebekah-Hernandez

[aQuib]

@MelissaBraxton - The email was just recently sent (and Beth was CC on it).

[csstarling]

@aQuib @MelissaBraxton @bboddiger @tram , Are we not using a truncated ID number on the permit? Issue #33

[MelissaBraxton]

Thanks @csstarling - I recall that you had asked for some kind of ID number on the permit, if possible. And we want to send Deb the full list of possible items (MVP and beyond) so that she can advise on what would be more or less difficult to get approval for. Trammell is also waiting on a response from John Lerner about the security implications of truncated ID numbers here: https://github.com/USDAForestService/USFS-timber-permitting/issues/33.

For now, I'd suggest following up with Deb to get her take on the difficulty/implications of the system storing full ID numbers and truncated ID numbers down the road so that can inform further decision making.

[MelissaBraxton]

Moving this to blocked pending feedback from Deb. @aQuib and @csstarling - consider following up with Deb if you haven't heard anything by Monday, 9/14? @bboddiger - It may also be worth mentioning during your weekly privacy mtg w/ Deb to make sure it's on her radar.

[mwreiss]

I reached out to Deb White for a SORN checklist. Waiting for a response.

[mwreiss]

Deb is going to ask the privacy officer if their is a SORN checklist, however the last meeting we had it was suggested (by the privacy officer) that we leverage an existing SORN as the turn around can take up to 18-24 months at a minimum. Just for reference NRM still has one under way and its been many years.

[mwreiss]

@carlsonem we should have an internal discussion on this one.

[mwreiss]

@carlsonem the research part of this issue is completed. We are just waiting on feedback from Deb on which SORN to use. Since we are not going to start a new SORN but rather leverage an existing one, the last two tasks are not necessary for the OF team to address. I think we are good to close this issue out.

A new issue could be produced on the Program Board to track progress with the Forest Service security team.