ndouglas
commented
10 months ago 1 - Information System and Project Information
1.1 Date PTA submitted to PIA Support for review: Click here to enter a date.
IDK, this is going to presumably be January 2024.
1.2 Name of the IT System or Project (Add system name as it appears in eMASS):
Veterans-Facing Services Platform-Va.gov
- Source:
.github/emass.json, which I sourced from some spreadsheet somewhere. See this comment: https://github.com/department-of-veterans-affairs/va.gov-cms/issues/14055#issuecomment-1646072829
1.3: eMASS ID #
1027
- Source:
./github/emass.json, which I sourced from some spreadsheet somewhere.
1.4 Name of VA Administration:
☐ VACO (Includes Enterprise, OI&T)
1.5 Name of the Program Office:
I... I don't know.
1.5.1 Indicate system ownership/control for the IT system or project. If the system has an eMASS entry, ensure this information matches with the eMASS entry:
☐ VA Owned and VA Operated
IT SYSTEM AND PROJECT CONTACTS
☐ This is a new IT system or project
☐ This IT System or project is categorized as minor system and augments a major system
- VFSP-VA.gov, Veterans-Facing Services Platform-VA.gov
1.8 Select the box that reflects the type of model used by the IT system or project:
I don't really know how to answer this. The CMS is a mixture of infrastructure that is specified for us, software that we develop heavily, software that we don't develop heavily but for which we are responsible, on-premises software that we operate but do not develop at all, etc.
1.9 Check the box below that reflects the type of information contained in the IT system or project:
☐ The product/Service WILL contain VA data.
1.10 What is the PII confidentiality impact level? Information regarding PII confidentiality can be found in NIST SP 800-122. (This decision must be made by the Privacy Officer.) Please select one:
This is not my place, but I suspect this should be "Low" because we don't provide or store or transfer any PHI/PII through any part of this system.
2 - Annual PTA Validation Process
Skipping based on what I understand to be the point of this project.
3 - Privacy Threshold Analysis Questions
Please describe the purpose of the IT system or project in layman’s terms so that a non-technical person can understand. The description should be at least a paragraph, at minimum and start with system name. (Spell out all acronyms first time use.)
The Content Management System (CMS) is intended to act as a repository for content created by VA employees, contractors, etc that will form the bulk of the unauthenticated experience on the VA.gov website. This information is typically along the lines of: facilities, their operating hours, their health services, profiles of some of their staff members, news stories of interest, opportunities for partnerships, etc.
The CMS:
- provides a comfortable interface for adding content, including text, images, hyperlinks, operating hours, tables, etc
- controls the editorial workflow, ensuring that personnel only have access to perform appropriate actions, with appropriate oversight, within their assigned domains and responsibilities
- validates and protects content against malicious or mistaken changes and ensures changes are traceable, verifiable, and attributable
- enables previewing content without publishing, in a reasonable facsimile of its published form
- informs editors about the current publication status of individual pieces of content as well as the entire corpus
Does the IT system or project employ any of the following technologies? (Check all that apply.)
☐ Cloud Computing
I don't believe we use anything Sharepoint-related.
Is data stored in the cloud? If yes, please answer the following questions:
☐ Commercial Cloud (Private or Hybrid)
Name of Cloud Service Provider: AWS GovCloud
☐ Yes. If yes, please identify the agreement in place (For major CSPs (ex. Azure, AWS), please provide the contract #. For all other CSPs, provide the ISA/MOU, SLA, etc.)
I don't know the answer to this; we don't use a distinct contract from anyone else on Platform.
3.3.3 Is the cloud service FedRAMP approved?
Yes.
Does the IT system or project collect, process, retain or share any information about individuals?
No.
All information is created by VA employees or contractors or other personnel as directed by the VA. This is overwhelmingly information about VA health facilities, health services, staff profiles, news stories, and other information as determined by individual facilities, offices, etc.
INTERNAL AND EXTERNAL INFORMATION SHARING
Does the IT system or project connect, receive, or share PII with another internal VA organization, IT system, website or application?
☐ No [If “No,” place “N/A” in the Table below]
EWashb
User Story or Problem Statement
Fill out Privacy Threshold Analysis (PTA) form as a prerequisite to register CMS as a "minor application" in accordance with VA SOPs. Filename to complete by CMS team: FY23StandardPTATemplate.
Description or Additional Context
VFSP-VA.gov and CMS team met on 12/07/23 to discuss CMS-specific ATO-related information. PTA is a required document for the ATO process. This allows application owners to list and describe the data elements in the application. It is also used to identify sensitive data and determine Confidentiality Impact level of the application.
The PTA is a pre-requisite to register the system (CMS) as Minor App in eMASS.
Registration is a 2-step process that begins with the intake form then in eMass. Paul Walker will be performing the registration with the information we are providing.
Note
VFSP-VA team will follow up with a meeting in January 2024 to discuss the PTA form and any outstanding questions the team has in order to complete the form.
Team
Please check the team(s) that will do this work.
cc: @BerniXiongA6 @ndouglas @EWashb