OVERVIEW

The system name and the name of the DOL component(s) which own(s) the system.

The Department of Labor Cloud Services (DOLCS) is owned by the Office of the Assistant Secretary for Administration and Management (OASAM).

The purpose/function of the program, system, or technology and how it relates to the component's and DOL mission

DOL Cloud Services (DOLCS) delivers functionality to meet DOL's messaging, and collaboration needs.

Microsoft Office 365's basic messaging (email, calendar, and contacts), unified messaging (instant messaging, web conferencing and desktop sharing), and collaboration are defined as Core Services.

In addition to these components, DOLCS leverages Cloud-based components to provide Mobile Device Management, Customer Relations Management, and online collaboration through OneDrive and SharePoint Online.

These functions support DOL OASAM's mission to provide leadership and support for Departmental business operations and procurement; budget and finance; information technology; human resources and civil rights; security and emergency management; and strategic planning by streamlining communications and workflows between the various groups that are responsible for these activities.

description of the information in the system.

DOLCS as a whole contains data which DOL considers non-sensitive PII, in the form of business contact information and network credentials for DOL employees and contractors. The OneDrive and SharePoint components of DOLCS may contain sensitive PII, supporting the business needs of the DOL sub-agencies which are the information owners. This includes the name and contact information of potential employees and contractors, military, immigration, or other government issued identifiers, EIN or TIN, residential address information, payroll records, contract information, electronic case files, and device identifiers as documented in the Privacy Threshold Analysis/Screening Form. Currently, Sensitive PII information supporting the DOL Office of the Solicitor, OASAM subagencies, and the SIMS information system's sub-system SIMS Freedom of Information Act (SIMS-FOIA) is stored within the DOLCS SharePoint environment. 

A description of a typical transaction conducted on the system. Typical DOLCS transactions include:

  • Email correspondence
  • Text and voice communication via Microsoft Teams
  • Document creation and collaboration via O365
  • Enrollment of mobile devices into the Mobile Device Management solution subcomponent
  • Storing and retrieving information from SharePoint Site Collections and OneDrive
  • Management of Customer Relationship information within the Microsoft Dynamics Customer Relationship Management (CRM) component.

Any information sharing conducted by the program or system.

DOLCS shares information between the on-premise integration infrastructure and the Cloud Service Provider FedRAMP-approved services.

A general description of the modules and subsystems, where relevant, and their functions. DOLCS contains the following subcomponents.

  • Office 365 (including Outlook, SharePoint Online, OneDrive, InTune, and Teams) utilizing the FedRAMP approved O365 service with Unique Identifier F1209231600.
  • Microsoft Dynamics CRM utilizing the FedRAMP approved Cloud Service with unique identifier F1310142515.

Where appropriate, a citation to the legal authority to operate the program or system. 5 U.S.C. §301. Departmental Regulations

A description of why the PIA is being conducted.

The PIA is being conducted as part of the required periodic reviews and updates of system documentation.  The DOLCS OneDrive and SharePoint subcomponents stores data collected by DOL sub-agencies which may include PII information on Federal Employees, DOL Contractors, and members of the public and therefore a Privacy Impact Assessment is required.  Additional SharePoint site collections created may contain additional PII types.

CHARACTERIZATION OF THE INFORMATION

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

DOLCS itself does not collect PII. PII is collected by DOL sub-agencies using existing paper-based or electronic Information Systems, and then manually stored in the system. For the SOL EMS Site Collection, PII is collected in the system from DOL client agencies and other parties to pending or active litigation cases (e.g. opposing counsel). The information collected is on members of the public (US citizens), DOL contractors and DOL employees.  The DPSS SP site collection collects PII on DOL employees, applicants to DOL, and current and potential contractors of DOL.  The Business Operations Center (BOC) also collects information related to business registration information for contractors and potential contractors.

From whom is information to be collected?

DOLCS itself does not collect PII. PII is collected by the DOL sub-agencies that store PII within DOLCS. Information being stored by DOL sub-agencies may have been collected from DOL Employees and Contractors and members of the public, including applicants and potential contractors who are likely to be members of the public (U.S. citizens) and/or foreign citizens.

Why is the Information being collected?

DOLCS does not collect the information directly. Information is collected by the DOL sub- agencies is collected to support DOL sub-agencies' routine business functions.  The SIMS-FOIA data stored within SharePoint is used to record to manage FOIA records, which serve to process individuals' requests made under the Privacy Act and Freedom of Information Act, to provide a record of communications between the requester and the agency, to ensure that all relevant, necessary and accurate data are available to support any process for appeal, to provide a legal document to support any process for appeal, to prepare the annual reports to OMB and Congress as required by the Privacy and Freedom of Information Acts.

The information collected by the Division of Security and Suitability (DPSS) site collection is necessary for OASAM-DPSS to determine the suitability and national security determinations, as appropriate, of applicants and contractors for employment and both physical and network access to DOL assets.

What is the PII being collected, used, disseminated, or maintained?

  • First and/or last name
  • Date of birth
  • Place of birth
  • SSN
  • SSN {truncated)
  • Military, immigration, or other government-issued identifier
  • Photographic identifiers (i.e., photograph image, x-rays, video)
  • Vehicle identifier (e.g., license place, VIN)
  • Driver's license number
  • Residential address
  • Personal phone numbers (e.g., phone, fax, cell)
  • Mailing address (e.g., P.O. Box)
  • Personal e-mail address
  • Business address
  • Current & previous business addresses
  • Business phone number (e.g., phone, fax, cell)
  • Business e-mail address
  • Employer Identification Number (EIN)/Taxpayer Identification Number (TIN)
  • Financial account information and/or number (e.g., checking account number, PIN, retirement, investment account)
  • Certificates (e.g., birth, death, marriage)
  • Legal documents or notes (e.g., divorce decree, criminal records)
  • Educational records
  • Network logon credentials (e.g., username and password)
  • Payroll records
  • Government credit card information
  • Beneficiary information
  • SIMS-FOIA information concerning FOIA requests submitted by members of the public including names; personal mailing address; telephone numbers; personal mailing addresses; and a unique tracking number which identifies each request.  SIMS-FOIA records are disseminated to agencies for appropriate action and can be used to prepare the response to the originator of the incoming letter.

CMS-OFFCP collects the following PII and store it within a DOLCS SharePoint site collection:

  • Payroll Data
  • Applicant and Employee Hiring Data
    • Social Security Numbers
    • Contact Information (Names, Address, Phone Numbers)
    • Demographic Information (Sex, Race, Veteran, Disability)
    • Job Qualifications and Resumes
    • Date of Birth
    • Criminal Background (if applicable) Credit History (if applicable)
    • Medical History (if applicable)
    • Hiring Reference Information

The DPSS site collection also contains the following PII:

  • Job Title
  • Employing Agency (within DOL)
  • Supervisor Name
  • Supervisor Work Email (DOL)
  • Position Risk, Sensitivity, and Clearance Level

The BOC site collection also contains the following PII:

  • DUNS
  • Business Name
  • Business Contact Information (Phone, email, work address, etc.)
  • Business state of incorporation
  • Registered Agent First and/or last name, and job title
  • Registered Agent Contact Information (Phone, email, work address, etc.)

How is the PII collected?

DOLCS does not collect PII information directly. PII is collected by the sub-agencies by their paper-based (i.e. OPM form SF3107) or electronic information systems and then manually stored by an authorized user within the DOLCS SharePoint or OneDrive components. DOLCS also uses non-sensitive PII information that is pulled from the general support system active directory infrastructures via network connection to the DOLCS on premise servers.

How will the information collected from individuals or derived from the system be checked for accuracy?

N/A --DOLCS does not collect PII directly from individuals.

DOL sub-agency site managers are responsible for checking the accuracy of the information that they store within the DOLCS OneDrive and SharePoint Online site collections.

What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?

For PII stored by SOL which supports the SOL Evidence Management System (EMS), the Federal Rules of Civil Procedures and Federal Rules of Evidence are the legal authority allowing the collection of PII.  For PII stored in the SIMS-FOIA SharePoint site, documents are generally voluntarily submitted by those requesting assistance from the Department.  FOIA requires that certain information about each FOIA requestor be collected for mandated tracking responsibilities as outlined by the statute.

For PII stored by OFCCP which supports CMS-OFCCP, The legal authority, arrangement, and or agreements that define and provide for the collection of this information from the OFCCP federal contractor community is provided in the Code of Federal Regulations (CFR), Title 41 (Public Contracts and Property Management), Chapter 60 (Office of Federal Contract Compliance Programs, Equal Employment Opportunity, Department of Labor). OFCCP's mission is authorized and mandated by the following laws:

Americans with Disabilities Act Of 1990
Executive Order (EO) 11246
Section 503 of the Rehabilitation Act of 1973, as amended
38 USC 4212 — The Vietnam Era Veterans' Readjustment Assistance Act of 1974 including subsequent amendments
Notice of Employee Rights Concerning Payment of Union Dues — EO 13496.

The information stored by DPSS is authorized for collection under US Code Title 5 1302, 3301, 3304, 3328, & 8706.  5 CFR 1104 allows OPM to delegate personnel management functions to other Federal agencies.  Public Law 104-134 allows asks Federal agencies to use social security numbers to help identify individuals in agency records.  Other controlling guidance relative to personnel security and suitability include 5 CFR 731, 5 CFR 732, and 5 CFR 1400.  Also, Executive Orders 10450, 12968 apply.

Privacy Impact Analysis

For PII stored by SOL which supports the SOL EMS, the types of PII stored create the risk of unauthorized access and disclosure.

For PII stored from SIMS-FOIA, the amount of PII collected is minimal and is used for appropriately responding to information requests from members of the public.  Limited access to the system, only available through approved equipment connected to DOL networks, minimizes the security risk to the Department or the public.

The PII stored is subject to a moderate security risk and is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

The privacy risks identified with the amount and type of data collected can be mitigated through the following FedRAMP baseline security controls:

Technical Class Controls

  • Access Control (AC):
    • Access Control Policy and Procedures
    • Account Management
    • Access Enforcement
    • Separation of Duties
    • Least Privilege
    • Unsuccessful Login Attempts
    • System Use Notification
    • Session Lock
    • Supervision and Review –Access
  • Audit and Accountability (AU):
    • Audit and Accountability Policy and Procedures
    • Auditable Events
    • Content of Audit Records
    • Audit Monitoring, Analysis, and Reporting
      Identification and Authentication:
    • Identification and Authentication Policy and Procedures
    • Authenticator Management

Operational Class Controls

  • Physical and Environmental Protection (PE)
    • Physical and Environmental Protection Policy and Procedures
    • Physical Access Authorizations
    • Physical Access Control
  • Awareness and Training (AT)
    • Awareness and Training Policy and Procedures
    • Security Awareness
    • Security Training
  • Media Protection (MP)
    • Media Protection Policy and Procedures
    • Media Access
    • Media Storage

Management Class Controls

  • Risk Assessment (RA)
    • Risk Assessment Policy and Procedures

DESCRIBE THE USES OF THE PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

The PII is used for any purpose permissible under DOL authorizing statutes and court orders.  SIMS-FOIA derived data is used to prepare responses to the requestors.

For PII collected by CMS-OFCCP, The PII is intended to be used by compliance officers conducting either compliance evaluations or complaint investigations. While this PII is stored in CMS-OFCCP, it is not included as data on the majority of reports accessible to end users of this information system. With the exception of the PII collected during the complaint investigation process, this information does not appear on any of the pre-formatted reports that are available within CMS-OFCCP.

What types of tools are used to analyze data and what type of data may be produced? The EMS application/system uses the kCura Relativity COTS tool to analyze and produce data.

For information collected by CMS-OFCCP, Microsoft products (Excel) and Statistical tools (SAS, R) are used to produce aggregate statistical results.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No. The EMS, SIMS-FOIA, and CMS-OFCCP SharePoint sites do not generate new or previously unavailable data.

If the system uses commercial or publicly available data, please explain why and how it is used.

The EMS system which collects the information in the EMS SharePoint site uses commercial or publicly available data for any purpose permissible under DOL authorizing statutes and court orders. 

The SIMS-FOIA SharePoint site does not use commercial or publicly available data.

CMS-OFCCP uses Publicly Available Data as follows:

  • Google/USPS for address validation
  • Census data for NAICS codes validation
  • Metropolitan Statistical Area (MSA) data for Geographic Reference Information.

Will the use of PII create or modify a "system of records notification" under the Privacy Act?

Yes, it will modify existing systems of records.

The EMS data stored in SharePoint is documented in the DOL/SOL-19 Evidence Management System SORN issued July 23, 2016.

Information contained in SIMS-FOIA is covered by a System of Records Notice (SORN) as defined by the Privacy Act of 1974.  SIMS-FOIA leverages the following SORN:  DOL/CENTRAL-5 – Privacy Act/Freedom of Information Act Requests File System:  https://www.dol.gov/sol/privacy/dol-central-5.htm.

Information collected by CMS-OFCCP is covered by a System of Records Notice (SORN) as defined by the Privacy Act of 1974.  CMS-OFCCP leveraged the following SORN:  DOL/OFCCP-1, Office of Federal Contract Compliance Programs, Executive Management Information System (OVCCP/EIS) and DOL/OFCCP-2, Office of Federal Contract Compliance Programs/Complaint Case files.

Information collected by DPSS are covered under OASAM-20, Personnel Investigation Records.

Information collected by EMS are covered under the SORN EBSA-8.

Privacy Impact Analysis

The operational storage and use of PII can create the risk of unauthorized access and disclosure. The PII stored in SharePoint which was originally collected by EMS is subject to a moderate security risk and is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

The privacy risks identified with the storage and use of PII can be mitigated through the following FedRAMP baseline security controls:

Technical Class Controls

Access Control (AC):

  • Access Control Policy and Procedures
  • Account Management
  • Access Enforcement
  • Separation of Duties
  • Least Privilege
  • Unsuccessful Login Attempts
  • System Use Notification
  • Session Lock
  • Supervision and Review –Access

Audit and Accountability (AU):

  • Audit and Accountability Policy and Procedures
  • Auditable Events
  • Content of Audit Records
  • Audit Monitoring, Analysis, and Reporting

Identification and Authentication:

  • Identification and Authentication Policy and Procedures
  • Authenticator Management

Operational Class Controls

  • Awareness and Training (AT)
    • Security Awareness and Training Policy and Procedures
    • Security Awareness
    • Security Training
  • Media Protection (MP)
    • Media Protection Policy and Procedures
    • Media Access
    • Media Storage

Management Class Controls

  • Planning (PL)
    • Security Planning, Policy, and Procedures
    • Rules of Behavior
  • System and Services Acquisition (SA)
    • Systems and Services Acquisition Policy and Procedures
    • Software Usage Restrictions
    • Security Design Principles

RETENTION

The following questions are intended to outline how long information will be retained after the initial collection.

What is the retention period for the data in the system?

Each of the DOL sub-agencies using SharePoint and storing PII are responsible for complying with the retention schedule established for their data.

EMS-derived information stored in SharePoint is retained in SharePoint until the active legal matter has been resolved. After the matter has been resolved, information is retained in accordance with the SOL Records Schedule which specifies that the matter is destroyed/deleted 1 to 10 years after cutoff (legal matter resolved) based on business needs of the SOL practice/program area. Evidence documents stored in SharePoint are courtesy copies. The originals are maintained by the associated DOL agency.

In accordance with General Records Schedule 4.2 item 10, current SIMS correspondence information files are updated as necessary.  Under the SIMS Record Schedule (N1-174-9-004), the Executive Secretariat follows a departmentally approved process to have old electronic data expunged from the SIMS System.

For CMS-OFCCP data, the retention is permanent.

Is a retention period established to minimize privacy risk?

See statement above. 

Has the retention schedule been approved by National Archives and Records Administration (NARA)?

Yes. For the PII information stored within the DOLCS SharePoint originally collected in EMS, the National Archive and Records Administration Retention Schedule # is DAA- 0174-2013-0006, which was approved in 2013. 

For PII information originally collected in SIMS-FOIA, the record retention schedule has been approved by the DOL Records Officer and NARA, and are retained and covered by NARA's General Record Schedules GRS 4.2 Item 20. 

For CMS-OFCCP, the retention schedule has been approved by NARA for 7 calendar years.

For DPSS collection, records are covered under the General Records Schedule 6.1 & 5.6.

Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminate or reduce PII that is collected, stored, or maintained by the system if it is no longer required?

DOL sub-agencies that store information within DOLCS are responsible for disposing PII if it is no longer required.

Information stored in SharePoint originally collected by EMS PII will only be stored on the system during active litigation. When the litigation matter is completed or the need for the EMS evidence database has been satisfied, the information is removed from the system.

Information stored in SharePoint originally collected by SIMS-FOIA is assessed annually for applicability and will be eliminated if not required for business functions.

For CMS-OFCCP data, OFCCP data requirements have been reviewed by OFCCP management and determined to be necessary for OFCCP operations.  Should OFCCP operational requirements change, OFCCP management will review the data requirements with the purpose of altering the amount of PII collected, stored, or maintained by CMS-OFCCP.

How is it determined that PII is no longer required?

N/A for DOLCS. Each of the DOL sub-agencies that use and store PII in SharePoint are responsible for determining when PII is no longer required.

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII

N/A for DOLCS. See statement above

INTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

PII residing in the EMS may be shared with DOL agencies as necessary for the handling of the investigation, facilitated resolution, or litigation matters.

PII originally collected from SIMS-FOIA is shared only with internal agencies that have responsibilities for responding to inquiries.

PII originally collected from CMS-OFCCP is collected through our regional, district and area office locations, as well as the national office. This information is only available internally via CMS-OFCCP reports, and the original case files.

Information from Office of Human Resources, SOL HR, and OIG HR offices performing staffing functions, and Contracting Officer Representatives onboarding contractors within DOL will be sharing PII with DPSS through UpSTART.  The PII is collected for to perform prescreening of federal and contract personnel and to initiate/review/process/adjudicate background investigations and security clearances.

How is the PII transmitted or disclosed?

DOLCS does not dictate how PII stored within the system is transmitted or disclosed. Each of the DOL sub-agencies are responsible for establishing a process for transmitting or disclosing the data they store within SharePoint.

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

N/A for DOLCS. See above statement.

Privacy Impact Analysis

When information is shared, there is always a risk that the sharing partner does not have the appropriate authorized access level resulting in unauthorized disclosure. The PII stored in EMS is subject to a moderate security risk and is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

The key security controls to ensure that access to PII is properly authorized include:

Technical Controls

  • Access Control (AC)
    • Information Sharing

Operational Controls

  • Media Protection (MP)
    • Media Access
    • Media Marking
    • Media Storage
    • Media Transport
    • Media Transport/Cryptographic Protection

Privacy Controls

  • Use Limitation (UL)
    • Internal Use

EXTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

N/A- DOLCS does not share data that DOL sub-agencies store within the system

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

 N/A- DOLCS does not share data that DOL sub-agencies store within the system.
The DOL sub-agencies are responsible for development of a SORN, if required, for the PII that they store within DOLCS.

How is the information shared outside the Department and what security measures safeguard its transmission?

N/A see statement above

How is the information transmitted or disclosed?

N/A- See statement above

Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If yes, include who the agreement is with and the duration of the agreement.

N/A- See statement above

How is the shared information secured by the recipient?

N/A- See statement above

What type of training is required for users from agencies outside DOL prior to receiving access to the information?

N/A- See statement above .

Privacy Impact Analysis

N/A- DOLCS does not share data that DOL sub-agencies store within the system.

NOTICE

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, please explain.

DOLCS does not collect PII. Each of the DOL sub-agencies are responsible for providing notice to users, if required, for the data they store within DOLCS.

Do individuals have the opportunity and/or right to decline to provide information?

N/A- see statement above

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

N/A-- See statement above

Privacy Impact Analysis

N/A- DOLCS does not collect PII directly from individuals.

INDIVIDUAL ACCESS, REDRESS, AND CORRECTION

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their own information?

N/A- DOLCS does not collect PII directly from users. The DOL sub-agencies who collect PII and store within DOLCS are responsible for establishing procedures that allow individuals to gain access to their information.

What are the procedures for correcting inaccurate or erroneous information?

N/A- see statement above

How are individuals notified of the procedures for correcting their own information?

N/A—See statement above.

If no formal redress is provided, what alternatives are available to the individual?

N/A- See statement above

Privacy Impact Analysis

N/A- DOLCS does not collect PII directly from users. The DOL sub-agencies who collect PII and store within DOLCS are responsible for establishing procedures that allow individuals to gain access to their information.

TECHNICAL ACCESS AND SECURITY

The following questions are intended to describe technical safeguards and security measures.

Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)

Each of the Sharepoint site owners are responsible for managing access to their site where PII is stored. Access is limited to DOL users only.

Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.

N/A- The DOL sub-agencies/site owners manage access to their Sharepoint site. They are responsible for including security requirements in contracts.

Does the system use "roles" to assign privileges to users of the system? If yes, describe the roles.

Each of the Sharepoint site owners are responsible for managing access to their site where PII is stored. Access is limited to DOL users only.

What procedures are in place to determine which users may access the system and are they documented?

Access Control procedures are in place in accordance with DOL computer security guidelines and the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

The applicable NIST SP 800-53 management, operational and technical controls access control requirements are implemented in the EMS.

Highlights of the access procedures include:

  • Rules of Behavior
  • two-factor authentication using Cloud Service Provider (CSP) supplied RSA tokens
  • login via Citrix Frontend and Windows Active Directory Serviceso access provided strictly on the basis of approved authorizations
  • automatic removal of inactive access accounts
  • least privilege access based on role.

Each of the site owners have responsibility for managing access to their Sharepoint site.

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.

Each of the site owners are responsible for managing access to their Sharepoint site and the data that they store within SharePoint. DOLCS is covered under the DOL GSS Rules of Behavior. All DOL users are required to accept the DOL GSS Rules of Behavior prior to getting access to DOLCS resources. All DOL employees and contractors are required to complete Cybersecurity and Privacy Awareness and Records Management training annually. This is provided by Learning Link, and so no single hard date is available.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

Mandatory DOL Cybersecurity and Privacy Awareness Training are provided to all employees and contractors of DOL on an annual basis.

What auditing measures and technical safeguards are in place to prevent misuse of data?

The site owners are responsible for managing access to their Sharepoint site and the date stored within. Access to files can be audited.

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

Yes. The Security Assessment and Authorization of the Microsoft O365 MT cloud component was last completed on 4/30/2018.   DOLCS received its initial authorization on 12/19/2014 and remains a participant in the DOL Ongoing Authorization program. Annual Security Assessments are performed as part of the Ongoing Authorization process. The last Security Assessment was completed 8/19/2022.

Privacy Impact Analysis

The risks identified are directly related to the collection and use of the PII stored within DOLCS by the DOL sub-agencies. The SharePoint site owners manage access to the data stored within their Sharepoint site. Access is restricted to users who are approved to access the site.

The privacy risks identified with unauthorized access and disclosure can be mitigated through the following FedRAMP baseline technical security controls:

Technical Class Controls

  • Access Control (AC):
    • Account Management
    • Access Enforcement
    • Separation of Duties
    • Least Privilege
    • System Use Notification
    • Session Lock
    • Supervision and Review – Access
  • Audit and Accountability (AU):
    • Auditable Events
    • Content of Audit Records
    • Audit Monitoring, Analysis, and Reporting
  • Identification and Authentication (IA):
    • Authenticator Management
  • System and Communications Protection (SC):
    • Boundary Protection
    • Transmission Integrity
    • Transmission Confidentiality

TECHNOLOGY

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?

The DOLCS system has on-premise components which were built from the ground up. These on premise components work with the Cloud Service Provider infrastructures which are considered Infrastructure as a Service.

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

Data integrity, privacy and security were analyzed during the early phases of the System Development Lifecycle by evaluating the information types needed to successfully achieve functional requirements, categorizing the information types in accordance with the methodology outlined in NIST Special Publications, the Department of Labor Manual Series and DOL Computer Security Handbook and its successor, the Cybersecurity Policy Portfolio, and determining the risk impacts associated with those information types to arrive at a high watermark. This was used to determine the applicable security control baseline. This baseline was then tailored to the system architecture and other business security factors. Controls were implemented and assessed for effectiveness, and the residual risk was analyzed and mitigating factors documented.

What design choices were made to enhance privacy?

Implementation of encryption technologies, architectural enhancements to provide information flow control, Role-Based Access Control, and personnel security controls were implemented to enhance privacy.

For systems in development, what stage of development is the system in, and what project development life cycle was used?

DOLCS is in the operations phase, and was developed following the DOL SDLCM.

For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation? For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

DOLCS is no longer in the development phase.  DOLCS is in the operation phase, and was developed following the DOL SDLCMM

DETERMINATION

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • OASAM has completed the PIA for the Department of Labor Cloud Services system which is currently in operation. OASAM has determined that the safeguards and controls for this moderate system adequately protect the information.
  • OASAM has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.