Global Acquisition and Assistance System (GLAAS) Privacy Impact Assessment (PIA) UNITED STATES AGENCY FOR INTERNATIONAL DEVELOPMENT Office of the Chief Information Officer (M/CIO) Information Assurance Division Global Acquisition and Assistance System (GLAAS) Approved Date: November 19, 2014 Additional Privacy Compliance Documentation Required: ☐ None ☐ System of Records Notice (SORN) ☐ Open Data Privacy Analysis (ODPA) ☐ Privacy Act Section (e)(3) Statement or Notice (PA Notice) ☐ USAID Web Site Privacy Policy ☐ Privacy Protection Language in Contracts and Other Acquisition‐Related Documents ☐ Role‐Based Privacy Training Confirmation Possible Additional Compliance Documentation Required: ☐ USAID Forms Management. ADS 505 ☐ Information Collection Request (ICR). ADS 505, ADS 506, and ADS 508 Privacy Program ☐ Records Schedule Approved by the National Archives and Records Administration. ADS 502
15
Embed
Assistance System (GLAAS) Privacy UNITED STATES · PDF fileUNITED STATES AGENCY FOR INTERNATIONAL DEVELOPMENT ... from program managers, system owners, and information system security
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Global Acquisition and Assistance System (GLAAS) Privacy Impact Assessment (PIA)
UNITED STATES AGENCY FOR INTERNATIONAL DEVELOPMENT
Office of the Chief Information Officer (M/CIO) Information Assurance Division
Global Acquisition and Assistance System (GLAAS) Approved Date: November 19, 2014
3.8 Use Limitation (UL) ........................................................................................................... 11
3.9 Third‐Party Web Sites and Applications ........................................................................... 12
Global Acquisition and Assistance System (GLAAS) Privacy Impact Assessment Date Approved: November 19, 2014
1
1 IntroductionThe USAID Privacy Office is using this Privacy Impact Assessment (PIA) Template to gather information from program managers, system owners, and information system security officers in order to analyze USAID information technology and information collections (systems) that collect, use, maintain, or disseminate personally identifiable information (PII). See ADS 508 Privacy Program Section 503.3.5.2 Privacy Impact Assessments.
2 Information
2.1 ProgramandSystemInformation
2.1.1 DescribethePROGRAManditsPURPOSE.
The Global Acquisition and Assistance System (GLAAS) primary objective is to provide a solution that supports acquisition and assistance management activities and the management of procurement documents that are generated by USAID. Acquisition and assistance management includes all aspects of the procurement life cycle (i.e., procurement planning, requisition , solicitation /funding opportunity, award, and closeout) and secure integration with Phoenix, USAID's financial management system.
The GLAAS and Phoenix Financial Integration is designed to process requests and awards as commitments and obligations in Phoenix in real time. GLAAS requests and awards as well as modifications must be initiated in GLAAS.
2.1.2 DescribetheSYSTEManditsPURPOSE.
The Global Acquisition and Assistance System (GLAAS) supports the Agency's acquisition and assistance (A&A) management life cycle. GLAAS provides support for the end‐to‐end A&A business processes performed by a wide variety of Agency staff, from the development of the Advance Procurement Plan (APP) through requisition, solicitation or funding opportunity, award, and award closeout. GLAAS supports an acquisition and assistance workflow that involves many people in numerous roles throughout the Agency, and around the world to create and manage contracts, grants, and cooperative agreements. GLAAS users include requestors, Program Officers, Agreement Officers, Contracting Officers, Contracting Officers Representative/Agreement Officers Representative, Negotiators, Program Managers, Obligation Recorders, Financial Management Officers, and others.
Global Acquisition and Assistance System (GLAAS) Privacy Impact Assessment Date Approved: November 19, 2014
2
2.1.3 WhatistheSYSTEMSTATUS?
☐ New System Development or Procurement
☐ Pilot Project for New System Development or Procurement
☒ Existing System Being Updated
☐ Existing Information Collection Form or Survey OMB Control Number:
☐ New Information Collection Form or Survey
☐ Request for Dataset to be Published on an External Website
☐ Other:
2.1.4 WhattypesofINFORMATIONFORMATSareinvolvedwiththeprogram?☐ Physical only
Personal cell phone is collected, but as personnel are not acting as an individual there is no legal authority required for the collection of this information. Information is for vendors.
Global Acquisition and Assistance System (GLAAS) Privacy Impact Assessment Date Approved: November 19, 2014
7
3.1.2 WhyisthePIIcollectedandhowdoyouuseit?
GLAAS collects financial/procurement information (purchase orders, contracts and grants) as
well as name of personal service contractor. This would include vendor data, shipping data,
items/services purchased, and costs.
The information is used in a business capacity to identify the vendor that has been awarded a purchase order or contractor grant, and then to process payment. The information is initially collected by Phoenix (Financial Management Systems) and then pushed to GLAAS. GLAAS doesn't pull Social Security Numbers (SSN) or Taxpayer Identification (TIM) from the Phoenix vendor table.
Release notes from the vendor and any changes to the system or use of its data are reviewed by the application O&M CCB to ensure that there is no unacceptable impact.
3.2 Accountability,Audit,andRiskManagement(AR)
3.2.1 Doyouuseanydatacollectionformsorsurveys?
☒ No:
☐ Yes:
☐ Form or Survey (Please attach)
☐ OMB Number, if applicable:
☐ Privacy Act Statement (Please provide link or attach PA Statement)
☒ No. All users go through security training and Contractors must sign a nondisclosure agreement. Role based access provided to only those who need it to do their work.
The PII data is inputted through interconnections with Phoenix and SAM. This information is from standard vendor information or information from contracts.
Global Acquisition and Assistance System (GLAAS) Privacy Impact Assessment Date Approved: November 19, 2014
9
3.4.4 Whattypesofreportsaboutindividualscanyouproducefromthesystem?GLASS reports involve all aspects for the procurement lifecycle (procurement planning, requisition, solicitation/funding opportunity, award, and closeout). Reports may include vendor name and contact information (business address, work phone, cell phone, business email) in addition to status information on the procurement. Individuals would only be listed if they were a Vendor to USAID. Admin reports are only accessible to the seven system administrators. The other reports are controlled by user role. The reports are for internal USAID use only and not for distribution outside USAID. Each report is marked with a SBU marking.
3.4.6 Doesthesystemmonitorortrackindividuals?
(If you choose Yes, please explain the monitoring capability.)
☐ No.
☒ Yes: Audit logs of who has accessed the system and their access capabilities. Also, conflicting role and other
reports are used to ensure that users have the correct access rights.
In order to perform business with USAID, vendors are required to provide this information. They can choose not to do business with USAID. However, if they choose to do business, there is no opportunity to decline.
USAID contracting officers and the Chief Financial Officer (CFO) have access to the vendor information in the contract document. System administrators have access to vendor information in the vendor table. Procurement information, which includes vendor name, address, and DUNS number is exported per executive branch regulations to FPDS‐MG and manually to FAADS.
All access within the system is role based. Each user must fill out an access request form which needs to be approved by a supervisor based on their position and other qualifying factors as specified in the GLAAS User Management Plan and GLAAS Operations SOP. Only Contracting Officers and the System Administrators would have access to the vendor table.
Global Acquisition and Assistance System (GLAAS) Privacy Impact Assessment Date Approved: November 19, 2014
All access within the system is role based. Each user must fill out an access request form which needs to be approved by a supervisor based on their position and other qualifying factors as specified in the GLAAS User Management Plan and GLAAS Operations SOP. Only Contracting Officers and the System Administrators would have access to the vendor table.
GLAAS is currently in the Terremark cloud environment. Plans to move to a Managed
Services Cloud are underway . In this case, Terremark would have no visibility into the GLAAS servers or data. This is managed by AidNet monitoring and by the contract with Terremark.
3.8 UseLimitation(UL)
3.8.1 WhohasaccesstothePIIatUSAID?
(A) GLAAS System Administrators (B) Contracting Officers (C) GLAAS users within the originating Bureau or Mission (Requestors, Program Officers,
Agreement Officers, Contracting Officers Representative (CORs) and Agreement Officers Representative (AORs), Negotiators, Program Manager and Financial Management Officers (FMOs)). All roles (except System Administrators and Contracting Officers) are restricted to the office in which they belong. This is validated by the user's supervisor.
The GLAAS Customer Care Team is responsible for reviewing end‐user access request forms, their approvals, and then setting up the user accounts. Users that lock out their accounts can obtain assistance from the GLAAS support group or their regional SME. Washington users can request that their Bureau Transition Coordinator (BTC) unlock their accounts. Accounts should be reviewed by the Mission SMEs and Washington BTCs. The system automatically locks accounts after 90 days of nonuse. An annual review process is conducted to verify Mission and Bureau users with their organization. Accounts are disabled by the GLAAS Customer Care Team, as needed. In addition, the Operations Group reviews accounts on an as needed basis to ensure the need for System Administrator accounts. System Administrators meet on a weekly basis. Accounts are removed or updated when a System Administrator leaves the organization. In addition to the GLAAS Customer Care Team, the GLAAS/Phoenix Interface Support Team also has access to GLAAS. All contractors with access to GLAAS must sign Non‐Disclosure Agreements.