[Federal Register Volume 76, Number 75 (Tuesday, April 19, 2011)]
[Notices]
[Pages 21902-21906]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-9467]


=======================================================================
-----------------------------------------------------------------------

DEPARMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; Report of a New System of Records

AGENCY: Office of Grants and Acquisition Policy and Accountability 
(OGAPA), Assistant Secretary for Financial Resources (ASFR), Department 
of Health and Human Services (HHS).

ACTION: Notice of New System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, the HHS OGAPA is proposing to establish a new system titled, 
``HHS Consolidated Acquisition Solution (HCAS), System No. 09-90-
0411.'' As an IT investment, HCAS is monitored by the HHS IT Investment 
Review Board (ITIRB). In addition to the ITIRB oversight, HCAS is 
monitored by the HHS/ASFR Office of Grants and Acquisition Policy and 
Accountability (OGAPA).
    At HHS, there were seven different systems in place to support the 
people who make buying--procurement--possible. The HHS Consolidated 
Acquisition System (HCAS) is an initiative to reduce the number of 
duplicative acquisition systems, thereby streamlining and standardizing 
our procurement processes and systems across the Department. The use of 
disparate systems complicates all interfaces to financial, inventory, 
and other systems that HHS has or will employ.
    HCAS replaced varying Procurement Request Information System 
(PRISM) configurations that existed across HHS, and replaced legacy 
acquisition systems and manual processes necessary for capturing HHS 
acquisition transactions for integration with the Unified Financial 
Management System (UFMS). We are also proposing routine uses for this 
system of records.

DATES:  Effective Dates: The HHS ASFR/OGAPA filed a new system report 
with the Chair of the House Committee on Oversight and Government 
Reform, the Chair of the Senate Committee on Homeland Security and 
Governmental Affairs, and the Administrator, Office of Information and 
Regulatory Affairs, Office of Management and Budget (OMB) on April 8, 
2011. To ensure that all parties have adequate time in which to 
comment, the new SOR, including routine uses, will become effective 40 
days from the publication of the notice, or from the date it was 
submitted to OMB and the Congress, whichever is later, unless HHS/ASFR/
OGAPA receives comments that require alterations to this notice. 
Although the Privacy Act requires only that the HHS/ASFR/OGAPA provide 
an opportunity for interested persons to comment on the proposed 
routine uses, the HHS/ASFR/OGAPA invites comments on all portions of 
this notice.

For Further Information or Comments Contact: The public should address 
comments to Kowanna Parran at HHS Office of the Secretary, Assistant 
Secretary for Financial Resources, Office of Grants and Acquisition 
Policy and Accountability, Hubert H. Humphrey Building, 200 
Independence Avenue, Washington, DC 20201. Ms. Parran can be reached by 
telephone at (202) 205-0722 or via e-mail at [email protected]. 
Comments received will be available for review at this location, by 
appointment, during regular business hours, Monday through Friday from 
9 a.m.-3 p.m., Eastern Time zone.

SUPPLEMENTARY INFORMATION: The HCAS system itself collects information 
necessary to support a procurement relationship between HHS and the 
vendor community. Information is collected on HHS Contracting Officers, 
and HHS vendors. There are limited instances where an individual's 
information in identifiable form (IIF) will be collected in order to 
facilitate a transaction in HCAS. HCAS collects and maintains IIF for 
service fellows and sole proprietorships that provide vendor services 
as individuals. Acquisition processes supported by HCAS include 
acquisition planning, solicitation, contract creation and approval, 
contract award and award closeout, and contract performance and 
management. To support these business processes, IIF contained in HCAS 
may include the following: vendor and contracting officer names, vendor 
mailing addresses, phone numbers, vendor financial account information, 
legal documents, Web URLs, e-mail addresses, vendor education records, 
and vendor tax ID numbers (TIN) or Social Security numbers.
    The Privacy Act allows information disclosure without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected. Any such compatible use of data is known as a ``routine 
use.'' The Government will only release HCAS information that can be 
associated with an individual as provided for under ``Section III. 
Proposed Routine Use Disclosures of Data in the System.'' Both 
identifiable and non-identifiable data may be disclosed under a routine 
use. We will only collect the minimum personal data necessary to 
achieve the purpose of HCAS. We are proposing to establish the 
following routine use disclosures of information maintained in the 
system:
    (1) To agency contractors or consultants who have been engaged by 
the agency to assist in the accomplishment of the HCAS Operations and 
Maintenance (O&M) function relating to the purposes for this system and 
who need to have access to the records in order to assist the OGAPA and 
HCAS O&M Federal leadership.
    We contemplate disclosing information under this routine use only 
in situations in which OGAPA and HCAS O&M Federal leadership enters 
into a contractual or similar agreement with a third party to assist in 
accomplishing a HCAS function relating to purposes for this system.
    The HHS Program Support Center (PSC) Financial Enterprise Systems 
Management (FESM) Operations and Maintenance (O&M) must be able to give 
a contractor or consultant whatever information is necessary for the 
contractor or consultant to fulfill its duties. In these situations, 
safeguards are provided in the contract prohibiting

[[Page 21903]]

the contractor or consultant from using or disclosing the information 
for any purpose other than that described in the contract and requires 
the contractor or consultant to return or destroy all information at 
the completion of the contract.
    (2) To the Department of Justice (DOJ), court or adjudicatory body 
when: the agency or any component thereof, or any employee of the 
agency in his or her official capacity, or any employee of the agency 
in his or her individual capacity where the DOJ has agreed to represent 
the employee, or the United States Government is a party to litigation 
or has an interest in such litigation, and by careful review, OGAPA 
determines that the records are relevant and necessary to the 
litigation and that the use of such records by the DOJ, court or 
adjudicatory body is compatible with the purpose for which the agency 
collected the records.
    Whenever HHS OGAPA is involved in litigation, and occasionally when 
another party is involved in litigation and OGAPA policies or 
operations could be affected by the outcome of the litigation, OGAPA 
would be able to disclose information to the DOJ, court or adjudicatory 
body involved.
    The HHS OGAPA will utilize a combination of administrative, 
technical, and physical controls to balance privacy and confidentiality 
with the system's goals. These controls include providing read-only 
access to HCAS users; authenticating users prior to granting access; 
controlling access levels and permissions based on user, role, and 
organizational unit; configuring all servers to remove all unused 
applications and system files and all local account access except when 
necessary to manage the system and maintain integrity of data; and 
physically restricting server access at the Department of Health and 
Human Services, National Institutes of Health, Center for Information 
Technology (CIT) Computer Room.
    This system will conform to all applicable Federal laws and 
regulations, and HHS/Office of the Secretary policies and standards as 
they relate to information security and data privacy. These laws and 
regulations may apply but are not limited to: The Privacy Act of 1974; 
the Federal Information Security Management Act of 2002; the Computer 
Fraud and Abuse Act of 1986; the E-Government Act of 2002; the Clinger-
Cohen Act of 1996; and the corresponding implementing regulations. OMB 
Circular A-130, Management of Federal Resources, Appendix III, Security 
of Federal Automated Information Resources also applies. Federal and 
HHS/Office of the Secretary policies and standards include but are not 
limited to: All pertinent National Institute of Standards and 
Technology publications and the HHS-OCIO Policy for Information Systems 
Security and Privacy (IS2P) Handbook.
    The OGAPA proposes to establish this system in accordance with the 
principles and requirements of the Privacy Act and will collect, use, 
and disseminate information only as prescribed therein. Data in this 
system will be subject to the authorized releases in accordance with 
the routine uses identified in this system of records.
    The OGAPA will take precautionary measures to minimize the risks of 
unauthorized access to the records and the potential harm to individual 
privacy or other personal or property rights of patients whose data are 
maintained in this system. HCAS will collect only that information 
necessary to perform the system's functions. In addition, the OGAPA 
will make disclosure from the proposed system only with consent of the 
subject individual, or his/her legal representative, or in accordance 
with an applicable exception provision of the Privacy Act. The OGAPA, 
therefore, does not anticipate an unfavorable effect on individual 
privacy as a result of information relating to individuals.

    Dated: April 7, 2011.
Nancy J. Gunderson,
Deputy Assistant Secretary, Office of Grants and Acquisition Policy and 
Accountability, HHS/ASFR.
SYSTEM NO: 09-90-0411

SYSTEM NAME:
    ``HHS Consolidated Acquisition Solution (HCAS),'' HHS/ASFR.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    NIH Center for Information Technology, 10401 Fernwood Road, 
Bethesda, MD 20817.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Information is collected on HHS Contracting Officers and HHS 
vendors who are service fellows or sole proprietorships that provide 
vendor services as individuals.

CATEGORIES OF RECORDS IN THE SYSTEM:
    HCAS records include HHS statements of work, purchase requests, 
requests for proposals (RFPs), bids, proposals, vendor invoices, 
requisitions, contract awards, contract modifications, progress 
reports, financial status reports, audit reports, and contract 
deliverables.
    Individual Information in Identifiable Form (IIF) contained in 
these records includes names of HHS contracting officers, vendor names, 
mailing addresses, phone numbers, financial account information, legal 
documents, Web URLs, and e-mail addresses and may include Social 
Security numbers when a vendor Tax Information Number (TIN) is not 
available.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    As an IT investment, HCAS is governed by the HHS IT Investment 
Review Board (ITIRB), as part of the HHS Capital Planning and 
Investment Control (CPIC) process, as managed by the HHS Office of the 
Chief Information Officer (OCIO). CPIC is mandated by the Clinger-Cohen 
Act which requires agencies to use a disciplined process to acquire, 
use, maintain and dispose of information technology. The OCIO exercises 
authorities delegated by the Secretary to the Deputy Assistant 
Secretary for Information Technology, as the CIO for HHS. These 
authorities derive from the Clinger-Cohen Act of 1996, the Paperwork 
Reduction Act of 1995, the Computer Matching and Privacy Act of 1988, 
the Computer Security Act of 1987, the Federal Information Security 
Management Act (FISMA), the National Archives and Records 
Administration Act of 1984, the Competition in Contracting Act of 1984, 
the Federal Records Act of 1950, OMB Circulars A-130 and A-11, 
Government Printing and Binding Regulations issued by the Joint 
Committee on Printing, and Presidential Decision Directive 63.
    In addition to the ITIRB oversight, HCAS falls within the 
governance of the HHS Office of Grants and Acquisition Policy and 
Accountability (OGAPA).

PURPOSE(S):
    HHS has acquisition offices across 10 Operating/Staff Divisions, 
which conduct and process thousands of procurement transactions 
annually. The HHS acquisition community requires a transaction-based, 
integrated procurement system that is consistent across the entire HHS. 
Except for the Centers for Disease Control and Prevention (CDC), HHS 
utilizes the acquisition processing and management functionality of 
Purchase Request Information System (PRISM), a commercial off-the-shelf 
(COTS) application from Compusearch Software Systems. Except for CDC 
and Centers for Medicare and Medicaid Services (CMS), HHS utilizes the 
requisitioning functionality in Oracle i-Procurement, a package 
available within Oracle Federal Financials, the software utilized by 
the Unified Financial Management System

[[Page 21904]]

(UFMS), the HHS enterprise financial management system.
    The HHS Consolidated Acquisition System delivers a standardized 
global PRISM for all operational contracting components within HHS 
(except CDC) that utilize UFMS (referred to as HCAS clients). HHS 
deployed HCAS to the following seven HCAS client contracting offices: 
Agency for Healthcare Research and Quality (AHRQ), Assistant Secretary 
for Preparedness and Response (ASPR), Food and Drug Administration 
(FDA), Program Support Center (PSC), Health Resources and Services 
Administration (HRSA), Indian Health Service (IHS) and Substance Abuse 
and Mental Health Services Administration (SAMHSA). (CMS and National 
Institutes of Health (NIH), which use other distinct Oracle Federal 
Financial instances for financial management that are not UFMS, are not 
considered HCAS clients and are outside the scope of this system.) CDC, 
while using UFMS, does not use the HCAS PRISM environment but uses 
their own procurement system Integrated Contracts Expert (ICE). HCAS 
PRISM was fully implemented across its HHS clients on February 8, 2009.
    The enterprise PRISM configuration via HCAS allows HHS to 
standardize acquisition business processes across the department. A 
consolidated PRISM facilitates and enables a single solution for 
integrating acquisition with financial management (one interface 
between HCAS and UFMS) and other mixed financial management systems.
    The HCAS system itself collects information necessary to support a 
procurement relationship between HHS and the vendor community. There 
are limited instances where an individual's information in identifiable 
form (IIF) will be collected in order to facilitate a transaction in 
HCAS. HCAS collects and maintains IIF for service fellows and sole 
proprietorships that provide vendor services as individuals.
    Acquisition processes supported by HCAS include acquisition 
planning, solicitation, contract creation and approval, contract award 
and award closeout. To support these business processes, IIF contained 
in HCAS may include the following: Vendor and contracting officer 
names, vendor mailing addresses, phone numbers, vendor financial 
account information, legal documents, Web URLs, e-mail addresses, 
vendor education records, and vendor tax ID numbers (TIN) or Social 
Security numbers. HCAS users will be able to retrieve data records by 
vendor or contracting officer name, among other identifiers. For 
example, names of contracting officer who act as buyers for HHS may be 
used to retrieve request for proposals or other HHS solicitation 
materials or purchase requests. Users may also use a contracting 
officer's name to retrieve associated contact information such as 
business e-mail or phone number when creating a solicitation or 
contract. Similarly, users may retrieve solicitation and contract 
materials, such as proposals, progress reports, and contract 
modifications by vendor name.
    Social Security numbers of vendors may be captured within HCAS 
under certain circumstances where a Tax Identification Number (TIN) is 
not available. The HCAS system will comply with all provisions of 
section 7 of the Privacy Act, including compliance with the following 
paragraph:
    Any Federal, State or local government agency which requests an 
individual to disclose his Social Security account number shall inform 
that individual whether that disclosure is mandatory or voluntary, by 
what statutory or other authority such number is solicited, and what 
uses will be made of it.
    When vendor SSN information is collected by HCAS, it is required 
for vendors to obtain the benefit of contracting with HHS. Provision of 
this information by the vendor is elective and again, is only used when 
a vendor TIN is not available.
    HCAS is integrated with UFMS and information is exchanged in both 
directions between the two systems. Information retrieved from HCAS may 
be shared/disclosed within and across the HHS contracting and financial 
management communities to: (1) Specify the Contracting Officer 
conducting an HHS solicitation or purchase request; (2) to specify 
vendor information in contract documentation, including award, 
modifications, and task progress reports; and (3) to validate and 
approve payments to HHS vendors. Information on vendors pertaining to 
specific HHS contract transactions captured in HCAS is not shared or 
disclosed to agencies outside of HHS. Names of contracting officers who 
act as buyers for HHS are contained in solicitation materials that are 
released to the public for competitive procurements.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    The Privacy Act allows information disclosure without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected. Any such compatible use of data is known as a ``routine 
use.'' The proposed routine uses in this system meet the compatibility 
requirement of the Privacy Act. We are proposing to establish the 
following routine use disclosures of information maintained in the 
system:
    (1) To agency contractors or consultants who have been engaged by 
the agency to assist in the accomplishment of the HCAS/FESM Operations 
and Maintenance function (O&M) relating to the purposes for this system 
and who need to have access to the records in order to assist the OGAPA 
and HCAS/FESM O&M Federal leadership.
    (2) To the Department of Justice (DOJ), court or adjudicatory body 
when the agency or any component thereof, or any employee of the agency 
in his or her official capacity, or any employee of the agency in his 
or her individual capacity where the DOJ has agreed to represent the 
employee, or the United States Government is a party to litigation or 
has an interest in such litigation, and by careful review, the HHS 
OGAPA determines that the records are relevant and necessary to the 
litigation and that the use of such records by the DOJ, court or 
adjudicatory body is compatible with the purpose for which the agency 
collected the records.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    All records are stored on electronic media.

RETRIEVABILITY:
    Identifiers used to retrieve records may include names of 
contracting officers and vendors. Names of contracting officers who act 
as buyers for HHS may be used to retrieve RFPs, statements of work, 
purchase requests, contract awards or contract modifications. Vendor 
names may be used to retrieve proposals, contract awards, contract 
modifications, progress reports, financial status reports, invoices, 
and contract deliverables. In the limited instance that a vendor is a 
service fellow or a sole proprietorship that provides services to HHS 
as an individual, HCAS will allow users to use the individual's name to 
retrieve vendor related procurement records.

SAFEGUARDS:
ADMINISTRATIVE CONTROLS:
    The following Administrative Controls have been in place for HCAS:

[[Page 21905]]

ACCOUNT MANAGEMENT/USER IDENTIFICATION AND AUTHENTICATION:
    Users must have a UFMS account prior to creation of the PRISM 
account. User's supervisor or another UFMS user submits a request for 
access on behalf of the prospective user through the User Provisioning 
Automated (UPA) process. The UPA process is the on-line UFMS user 
provisioning module. The UPA process is a workflow process that 
requires supervisor approval, responsibility approval, SOD approval, 
and security verification of background investigation. Reports can be 
generated detailing the approvals for user provisioning. Inactive 
accounts are locked after 60 days of inactivity. The use of temporary 
and emergency accounts is prohibited.

AUTHENTICATOR MANAGEMENT:
    Users are required to change their password upon initial login. If 
users do not log in and change their passwords within 30 days of 
account generation, then the account is made inactive. Users are 
responsible for understanding and complying with all password use 
requirements including the need for adequate (difficult to decipher) 
passwords. Users are required to use passwords of a mix of eight (8) 
alpha, numeric and special characters, with at least one uppercase 
letter, one lower case letter, and one number. Users are automatically 
required to change their passwords every 90 days. Users are instructed 
to keep their passwords confidential and not share them with anyone. 
Upon notification that a password has been forgotten or compromised, 
the password is immediately reset to a unique (non-default) password 
and the user is notified. Upon login, after a password reset, the user 
is required to change their password within 2 days to prevent the 
account from being deactivated.

ACCESS ENFORCEMENT:
    User access to the application functions are granted through the 
UPA process based upon the role that has been assigned to the user and 
approved through the workflow. Privileges assigned to users of the 
system/application are granted based upon the role that has been 
assigned to the user. This includes administrative privileges that can 
be performed within the system.

INFORMATION FLOW ENFORCEMENT--NIH/CIT SECURITY MECHANISMS:
    Carbon Copy (CC): The UFMS application resides on hardware located 
within the National Institutes of Health, Center for Information 
Technology (NIH/CIT) general support system (GSS). The flow of 
information within the system and between interconnected systems is 
controlled by various NIH/CIT network firewalls, and authentication 
mechanisms HHS-Net Certification and Accreditation (C&A)--The flow of 
information within the system traverses the HHS-Net network which 
includes routers, switches, network firewalls, and authentication 
mechanisms.

LEAST PRIVILEGE:
    Privileges assigned to users of the system/application are granted 
based upon the role that has been assigned to the user.

UNSUCCESSFUL LOGIN ATTEMPTS:
    The system contains functionality that prevents user access when 
the maximum number of unsuccessful login attempts is exceeded.
    The HCAS system automatically locks an account until released by an 
administrator when three (3) unsuccessful login attempts occur.

TECHNICAL CONTROLS:
    Access to the system is controlled by HCAS Systems Security 
Officer, which authenticates the user prior to granting access. Access 
level and permissions are controlled by the system and based on user, 
role, organizational unit, and status of the report. All servers have 
been configured to remove all unused applications and system files and 
all local account access except when necessary to manage the system and 
maintain integrity of data.

PHYSICAL CONTROLS:
    The servers will reside in the NIH CIT Computer Room where policies 
and procedures are in place to restrict access to the machines.
    This system will conform to all applicable Federal laws and 
regulations and HHS/Office of the Secretary policies and standards as 
they relate to information security and data privacy. These laws and 
regulations may apply but are not limited to: The Privacy Act of 1974; 
the Federal Information Security Management Act of 2002; the Computer 
Fraud and Abuse Act of 1986; the E-Government Act of 2002; the Clinger-
Cohen Act of 1996; and the corresponding implementing regulations. OMB 
Circular A-130, Management of Federal Resources, Appendix III, Security 
of Federal Automated Information Resources also applies. Federal and 
HHS/Office of the Secretary policies and standards include but are not 
limited to: All pertinent National Institute of Standards and 
Technology publications and the HHS Information Systems Program 
Handbook.

RETENTION AND DISPOSAL:
    HCAS is governed by the HHS Records Management and Disposition 
guidelines for the retention and destruction of IIF. The guidelines 
reference the National Archive and Records Administration Act of 1984 
(Pub. L. 98-497, 44 U.S.C. Chapter 21). The HCAS FESM/O&M will retain 
identifiable information maintained in the HCAS system of records in 
accordance with the National Archives and Records Administration 
General Records Schedules and Federal Acquisition Regulation (FAR 
4.805).

SYSTEM MANAGER(S) AND ADDRESS:
    Director, Information and Systems Management Services (ISMS), U.S. 
Department of Health and Human Services, Parklawn Building, 5600 
Fishers Lane, Rockville, Maryland 20857.

NOTIFICATION PROCEDURE:
    Inquiries should be made in writing to the System Owner, Deputy 
Assistant Secretary, Office of Grants and Acquisition Policy and 
Accountability, Assistant Secretary for Financial Resources, U.S. 
Department of Health and Human Services, 200 Independence Avenue, SW., 
Washington, DC 20201. The individual making the inquiry must show proof 
of identity before information is released and give name and social 
security number, purpose of inquiry, and if possible, the document 
number.

RECORD ACCESS PROCEDURES:
    For purpose of access, use the same procedures outlined in 
Notification Procedures above. Requestors should also reasonably 
specify the record contents being sought. (These procedures are in 
accordance with Department regulation 45 CFR 5b.5(a)(2)).

CONTESTING RECORD PROCEDURES:
    The subject individual should contact the system owner named above, 
and reasonably identify the record and specify the information to be 
contested. State the corrective action sought and the reasons for the 
correction with supporting justification. (These procedures are in 
accordance with Department regulations 45 CFR 5b.7).

RECORD SOURCE CATEGORIES:
    Information in HCAS will be collected, in part, from the data 
transmitted from i-Procurement which includes: Requisition number; date 
of

[[Page 21906]]

request; object class, appropriation code and Central Accounting Number 
(CAN) of the item requested; HHS requesting organization name; and 
location, HHS point of contact name and business contact phone number 
within the requesting organization; a description of the item requested 
and corresponding quantity and cost required. Other information 
collected includes; proposal, solicitation, market research, and 
contract award documentation.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. 2011-9467 Filed 4-18-11; 8:45 am]
BILLING CODE 4150-24-P