DOL Cloud Service (DOLCS)

Overview

The system name and the name of the DOL component(s) which own(s) the system.

The Department of Labor Cloud Services (DOLCS) is owned by the Office of the Assistant Secretary for Administration and Management (OASAM).

The purpose/function of the program, system, or technology and how it relates to the component's and DOL mission

DOL Cloud Services (DOLCS) delivers functionality to meet DOL's messaging and collaboration needs.

Microsoft Office 365's basic messaging (email, calendar, and contacts), unified messaging (instant messaging, web conferencing and desktop sharing), collaboration and RIM's Blackberry services are defined as Core Services.

In addition to these components, DOLCS leverages Cloud-based components to provide Mobile Device Management, Customer Relations Management, and online collaboration through SharePoint Online.

These functions support DOL OASAM's mission to provide leadership and support for Departmental business operations and procurement; budget and finance; information technology; human resources and civil rights; security and emergency management; and strategic planning by streamlining communications and workflows between the various groups that are responsible for these activities.

A general description of the information in the system.

DOLCS as a whole contains data which DOL considers non-sensitive PII, in the form of business contact information and network credentials for DOL employees and contractors. The SharePoint component of DOLCS may contain sensitive PII, supporting the business needs of the DOL sub-agencies which are the information owners. This includes the name and contact information of potential employees and contractors, military, immigration, or other government issued identifiers, EIN or TIN, residential address information , payroll records, contract information, electronic case files, and device identifiers as documented in the attached Privacy Threshold Analysis/Screening Form. Currently, Sensitive PII information supporting the DOL Office of the Solicitor is stored within the DOLCS SharePoint environment.

A description of a typical transaction conducted on the system.

Typical DOLCS transactions include:

  • Email correspondence
  • Text and voice communication via Skype for Business
  • Document creation and collaboration via O365
  • Enrollment of mobile devices into the Mobile Device Management solution subcomponent
  • Storing and retrieving information from SharePoint Site Collections
  • Management of Customer Relationship information within the Microsoft Dynamics Customer Relationship Management (CRM) component.

Any information sharing conducted by the program or system.

DOLCS shares information between the on-premise integration infrastructure and the Cloud Service Provider Fed RAMP-approved services.

A general description of the modules and subsystems, where relevant, and their functions.

DOLCS contains the following subcomponents.

  • Office 365 (including Outlook, SharePoint Online, and Skype for Business) utilizing the FedRAMP approved O365 service with Unique Identifier F1209231600.
  • MaaS360 Mobile Device Management utilizing the IBM Cloud Service with unique identifier F1208031461.
  • Microsoft Dynamics CRM utilizing the FedRAMP approved Cloud Service with unique identifier F1310142515.

Where appropriate, a citation to the legal authority to operate the program or system.

5 U.S.C. §301. Departmental Regulations

A description of why the PIA is being conducted.

The DOLCS SharePoint subcomponent stores data collected by DOL sub-agencies which may include PII information on Federal Employees, DOL Contractors, and members of the public and therefore a Privacy Impact Assessment is required. A Privacy Act System of Record Notice (SORN) will be published in the Federal Register. The Privacy Act requires that a SORN be published in the Federal Register when PII is maintained by a Federal Agency in a system of records and the information is retrieved by a personal identifier. Information in some of the SharePoint site collections may be retrieved by a personal identifier.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

DOLCS itself does not collect PII. PII is collected by DOL sub-agencies using existing paper-based or electronic Information Systems, and then manually stored in the system. Currently DOLCS only stores Sensitive PII within the SharePoint Site Collection supporting the SOL EMS. For the SOL EMS Site Collection, PII is collected in the system from DOL client agencies and other parties to pending or active litigation cases (e.g. opposing counsel). The information collected is on members of the public (US citizens), DOL contractors and DOL employees.

From whom is information to be collected?

Information is collected from DOL Employees and Contractors and members of the public.

Why is the Information being collected?

DOLCS does not collect the information. Information collected by the DOL sub-agencies is collected to support DOL sub-agencies' routine business functions.

What is the PII being collected, used, disseminated, or maintained?

  • First and/or last name
  • Date of birth
  • Place of birth
  • SSN
  • SSN {truncated)
  • Military, immigration, or other government-issued identifier
  • Photographic identifiers (i.e., photograph image, x-rays, video)
  • Vehicle identifier (e.g., license place, VIN)
  • Driver's license number
  • Residential address
  • Personal phone numbers (e.g., phone, fax, cell)
  • Mailing address (e.g., P.O. Box)
  • Personal e-mail address
  • Business address
  • Business phone number (e.g., phone, fax, cell)
  • Business e-mail address
  • Employer Identification Number (EIN)/Taxpayer Identification Number (TIN)
  • Financial account information and/or number (e.g., checking account number, PIN, retirement, investment account)
  • Certificates (e.g., birth, death, marriage)
  • Legal documents or notes (e.g., divorce decree, criminal records)
  • Educational records
  • Network logon credentials (e.g., username and password)
  • Payroll records
  • Government credit card information

How is the PII collected?

PII is collected by the sub-agencies by their paper-based or electronic information systems and then manually stored within the DOLCS SharePoint component. DOLCS also uses non-sensitive PII information that is pulled from the general support system active directory infrastructures via network connection to the DOLCS on premise servers.

How will the information collected from individuals or derived from the system be checked for accuracy?

DOL sub-agency site managers are responsible for checking the accuracy of the information that they store within the DOLCS SharePoint Online site collections. For information stored in DOLCS SharePoint which was originally collected by EMS, in some instances the accuracy of the PII contained within the evidence document is validated as part of the litigation process and sometimes attested under oath as accurate by a party to the case.

What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?

For PII stored by SOL which supports the SOL Evidence Management System (EMS), the Federal Rules of Civil Procedures and Federal Rules of Evidence are the legal authority allowing the collection of PII.

Privacy Impact Analysis

For PII stored by SOL which supports the SOL EMS, the types of PII stored create the risk of unauthorized access and disclosure. The PII stored is subject to a moderate security risk and is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

The privacy risks identified with the amount and type of data collected can be mitigated through the following Fed RAMP baseline security controls.

Describe the Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

The PII is used for any purpose permissible under DOL authorizing statutes and court orders.

What types of tools are used to analyze data and what type of data may be produced?

The EMS application/system uses the kCura Relativity COTS tool to analyze and produce data.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No. The EMS does not generate new or previously unavailable data.

If the system uses commercial or publicly available data, please explain why and how it is used.

The system uses commercial or publicly available data for any purpose permissible under DOL authorizing statutes and court orders.

Will the use of PII create or modify a "system of records notification" under the Privacy Act?

Yes. The EMS data stored in SharePoint is documented in the DOL/SOL-19 Evidence Management System issued July 23, 2016.

Privacy Impact Analysis

The operational storage and use of PII can create the risk of unauthorized access and disclosure. The PII stored in SharePoint which was originally collected by EMS is subject to a moderate security risk and is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

The privacy risks identified with the storage and use of PII can be mitigated through the FedRAMP baseline security controls as noted earlier.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

What is the retention period for the data in the system?

Information stored in SharePoint is retained in SharePoint until the active legal matter has been resolved. After the matter has been resolved, information is retained in accordance with the SOL Records Schedule which specifies that the matter is destroyed/deleted 1 to 10 years after cutoff (legal matter resolved) based on business needs of the SOL practice/program area. Evidence documents stored in SharePoint are courtesy copies. The originals are maintained by the associated DOL agency.

Is a retention period established to minimize privacy risk?

Yes. The retention period is established to minimize privacy risk.

Has the retention schedule been approved National Archives and Records Administration (NARA)?

Yes. For the PII information stored within the DOLCS SharePoint originally collected In EMS, the National Archive and Records Administration Retention Schedule # is DAA-0174-2013-0006, which was approved in 2013.

Per M-O7-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

Information stored in SharePoint originally collected by EMS PII will only be stored on the system during active litigation. When the litigation matter is completed or the need for the EMS evidence database has been satisfied, the information is removed from the system.

Have you implemented the DOL PII Data Extract Guide for the purpose of eliminating or reducing PII?

Yes.

How is it determined that PII is no longer required?

A determination as to when PII is no longer required within the system is performed as part of the annual Privacy Impact Assessment. Specifically, the MALS Legal Technology Unit will make recommendations for approval by the System Owner. Also SOL addresses all federal mandates to reduce the use of PII and specific identifiers where possible in its information collection processes.

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.

PII not pertinent to the legal matter is redacted on the evidence document. It cannot be removed as the integrity of the evidence document must be maintained.

Privacy Impact Analysis

The risk of unauthorized access and unauthorized disclosure is proportionally increased by the length of time in which the data is retained. The key security controls to ensure that PII is properly protected include:

  • Operational Controls
    • System and Information Integrity (SI)
      • Information Handling and Retention
  • Privacy Controls
    • Data minimization and Retention (DM)
      • Minimization of personally Identifiable Information
      • Data Retention and Disposal
      • Minimization of PII Used in Testing, Training, and Research

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

PII residing in the EMS may be shared with DOL agencies as necessary for the handling of the investigation, facilitated resolution, or litigation matters.

How is the PII transmitted or disclosed?

PII is transmitted or disclosed through online queries, and online screen displays. Information may be exported from the EMS via hardcopy printout and electronic copies on portable media.

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

Yes. The lead attorney assigned to the legal matter reviews when the sharing of personal information is no longer required.

Privacy Impact Analysis

When information is shared, there is always a risk that the sharing partner does not have the appropriate authorized access level resulting in unauthorized disclosure. The PII stored in EMS is subject to a moderate security risk and is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.
The key security controls to ensure that access to PII is properly authorized include:

  • Technical Controls
    • Access Control (AC)
      • Information Sharing
  • Operational Controls
    • Media Protection (MP)
      • Media Access
      • Media Marking
      • Media Storage
      • Media Transport
      • Media Transport/Cryptographic Protection
  • Privacy Controls
    • Use Limitation (UL)
      • Internal Use

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

Information in the EMS is generally reserved for internal DOL use. However, a full range of PII may be exported from the EMS to share with other federal agencies, courts and administrative bodies, arbitrators and mediators, and opposing counsel and parties to an investigation or litigation matter to support the litigation process.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Yes, the sharing of PII outside the Department is compatible with the original collection. Yes, see description of "Routine uses of records maintained in the system" in the SOL EMS SORN.

How is the information shared outside the Department and what security measures safeguard its transmission?

Evidence documents that may contain PII are shared with the federal court system, administrative tribunals, and other parties to the case through document filings that are made via email or through the court's electronic filing system.

How is the information transmitted or disclosed?

Evidence documents are transmitted or disclosed via portable media (hard drive, thumb drive, CD, or DVD.

Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If yes, include who the agreement is with and the duration of the agreement.

NA. The sharing of documents is covered by the Federal Rules of Civil Procedures and the Federal Rules of Evidence.

How is the shared information secured by the recipient?

SOL relies on the courts', tribunals' and opposing counsel's own security systems to secure the documents once they have been received.

What type of training is required for users from agencies outside DOL prior to receiving access to the information?

No training is required. The sharing of evidence documents is covered by the Federal Rules of Civil Procedures and the Federal Rules of Evidence.

Privacy Impact Analysis

When information is shared, there is always a risk that the sharing partner does not have the appropriate authorized access level resulting in unauthorized disclosure. The key security controls to ensure that access to PII is properly authorized include:

  • Technical Controls
    • Access Control (AC)
      • Information Sharing
  • Operational Controls
    • Media Protection (MP)
      • Media Access
      • Media Marking
      • Media Storage
      • Media Transport
      • Media Transport/Cryptographic Protection
  • Privacy Controls
    • Use Limitation (UL)
      • Internal Use

SOL users have an approved DOL exemption to not encrypt portable media (CD, DVD, flash drive, external hard drive) containing DOL sensitive and non-sensitive information in support of litigation activities, under various statutes, or in response to court/tribunal requirements or orders, or congressional requests. All other SOL information must be encrypted. The encryption exemption increases exposure to unauthorized access and disclosure of PII.

NOTICE

The following questions are directed as a notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, please explain. Yes. The Privacy Act requires that a SORN be published in the Federal Register when PII on members of the public is maintained by a Federal agency in a system of records and the information is retrieved by a personal identifier. The system can retrieve PII by the specific personal identifier.
  • Do individuals have the opportunity and/or right to decline to provide information?
    Yes, individuals have the right to decline to provide information based on the invocation of the Privacy Act of 1974. Individuals would have addressed this opportunity or right with the DOL agency prior to SOL's use of the information. SOL does not collect this information directly from members of the public but rather extracts the information from records collected by the DOL agencies.
  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right? No, as there are only routine uses of the information, and no particular uses that would require consent under the Privacy Act of 1974.

Privacy Impact Analysis

The privacy risk is unauthorized access and disclosure of PII. DOL shall not disclose, nor make available, any personal data except with the consent of the individual concerned or by authority of law. DOL shall, when appropriate and required by law, provide access to, and a process for amending, personal information in accordance with the Privacy Act of 1974. Also, all SOL Federal and contractor support staff are made aware of penalties regarding improper use of SOL information via notifications and confidentiality agreements (e.g., system access notification, computer security and privacy awareness training, contractor Confidentiality/Non-Disclosure Agreement, System Access Request Forms, and Rules of Behavior).

Individual Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their own information?

An individual, or legal representative acting on his behalf, may request access to a record about himself by appearing in person or by writing to the Office of the Solicitor of Labor (SOL), Deputy Solicitor, 200 Constitution Avenue, NW, Washington, DC 20210. A requester in need of guidance in defining his request may write to the Assistant Secretary for Administration and Management, U.S. Department of Labor, 200 Constitution Avenue, NW, Washington, DC 20210-0002.

The specific procedures for allowing an individual to gain access to their information are provided in Title 29 CFR Part 71.2.

What are the procedures for correcting inaccurate or erroneous information?

An individual may submit a request for correction or amendment of a record pertaining to him. The request must be in writing and must be addressed to the Office of the Solicitor of Labor (SOL), Deputy Solicitor, 200 Constitution Avenue, NW, Washington, DC 20210. The request must identify the particular record in question, state the correction or amendment sought, and set forth the justification for the change. Both the envelope and the request itself must be clearly marked: "Privacy Act Amendment Request."

The specific procedures for correcting inaccurate or erroneous information are provided in Title 29 CFR 71.9.

How are individuals notified of the procedures for correcting their own information?

This information is published in the Federal Register entry for the system. Also, www.dol.gov provides "Important Web Site Notices" which contains the department's Privacy and Security Policies. This is found on the initial page of the website or directly at https://www.dol.gov/general/aboutdol/website-policies.

If no formal redress is provided, what alternatives are available to the individual?

When a request for correction or amendment is denied in whole or in part, the requester may appeal the denial to the Solicitor of Labor within 90 days of his receipt of the notice denying his request.

Privacy Impact Analysis

There is minimal risk to the data integrity of PII stored in the EMS because it is well protected by numerous security controls. Data integrity is primarily accomplished through authorized restrictive access to information in the system.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

  • Which user group(s) will have access to the system? (for example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)
  • Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.
    Yes, the EMS is accessed by Cloud Service Provider (CSP) developers and system administrators, for the purpose of developing, testing, administering and operating and hosting the cloud implementation.
  • Does the system use "roles" to assign privileges to users of the system? If yes, describe the roles. Yes. Roles are separated into general users and privileged users, with privileged user roles being separated into varying degrees of permissions based on the business and security functions that they fulfill.
  • What procedures are in place to determine which users may access the system and are they documented?

Access Control procedures are in place in accordance with DOL computer security guidelines and the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects. The applicable NIST SP 800-53 management, operational and technical controls access control requirements are implemented in the EMS.

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.

Roles are implemented in accordance with a Role-Based Access Control matrix developed after analysis of business, administrative, and security roles. Auditing of these roles is accomplished by periodic review of the Role-Based Access Control enforcement mechanisms. Training for users is provided at least annually. Users were required to complete the last training cycle by September 30, 2016.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

Mandatory DOL Information Systems Security Privacy and Awareness Training are provided to all employees and contractors of SOL on an annual basis.

What auditing measures and technical safeguards are in place to prevent misuse of data?

Within the EMS there are specific users roles (groups) defined which provide varying levels of access to data stored in the EMS. Critical functions are divided among different individuals based on their security group/role assignment. Users will be allowed to view and annotate evidence only for cases to which they are assigned.
Auditing functionality exists within the EMS to allow for user, account management, and privileged user actions to be recorded in an audit log and backed up for a specified period of time. Audit information stored includes: type of audit event, date and time audit event occurred, User ID, command used to initiate the audit event, success or failure of audit event and event result.

All audited transactions within the EMS are written to a separate audit log table within the EMS database. The electronic audit log is protected from viewing by unauthorized users.

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

Yes. The Security Assessment and Authorization was completed on 12/19/2014.

Privacy Impact Analysis

The PII stored within the EMS is limited to information necessary for the Agency to carry out its duties. It is well protected in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects. The EMS does not interface with any other systems except its hosting network infrastructure. PII may be shared with DOL agencies through reporting. The privacy risks identified with unauthorized access and disclosure can be mitigated through the following FedRAMP baseline technical security controls.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?

The DOLCS system has on-premise components which were built from the ground up. These on premise components work with the Cloud Service Provider infrastructures which are considered Infrastructure as a Service.

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

Data integrity, privacy and security were analyzed during the early phases of the System Development Lifecycle by evaluating the information types needed to successfully achieve functional requirements, categorizing the information types in accordance with the methodology outlined in NIST Special Publications, the Department of Labor Manual Series and DOL Computer Security Handbook, and determining the risk impacts associated with those information types to arrive at a high watermark. This was used to determine the applicable security control baseline. This baseline was then tailored to the system architecture and other business security factors. Controls were implemented and assessed for effectiveness, and the residual risk was analyzed and mitigating factors documented.

What design choices were made to enhance privacy?

Implementation of encryption technologies, architectural enhancements to provide information flow control, Role-Based Access Control, and personnel security controls were implemented to enhance privacy.

For systems in development, what stage of development is the system in, and what project development life cycle was used?

DOLCS is in the operations phase, and was developed following the DOL SDLCM.

For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

DOLCS is no longer in the development phase.

PII Reduction

Is any part of the PII collection voluntary?

Information placed into the DOLCS SharePoint instance is collected by other DOL components and systems, some of which may use voluntary collection as documented in their individual processes.

If any part of the PII collection is voluntary, what efforts are being made to redact, mask, anonymize or eliminate PII from this system?

Information placed into the DOLCS SharePoint instance is collected by other DOL components and systems which must comply with the overall DOL PII and Social Security Number usage guidance as issued by DOL OCIO.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

Refer to the SOL EMS PIA for the SOL EMS determination response.

  • OASAM has completed the PIA for the Department of Labor Cloud Services system which is currently in operation. OASAM has determined that the safeguards and controls for this moderate system adequately protect the information.
  • OASAM has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.