DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
PRIVACY IMPACT ASSESSMENT
PRISM
April 10, 2010
System Overview
The Federal Aviation Administration (FAA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs to ensure the safest, most efficient aerospace system in the world. The FAA is responsible for:
- Regulating civil aviation to promote safety;
- Encouraging and developing civil aeronautics, including new aviation technology;
- Developing and operating a system of air traffic control and navigation for both civil and military aircraft;
- Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
- Regulating U.S. commercial space transportation.
One of the programs that help FAA fulfill this mission is PRISM, which supports multiple purchasing sites, electronic routing and approval, requisitioning, electronic notifications, contract management, and post award processing and closeout. PRISM system architecture allows it to integrate and communicate seamlessly with existing systems such as financial or inventory. PRISM software is directly integrated with DOT's core accounting system, DELPHI. Financial data is exchanged with the Logistical Information System (LIS) server in Kansas City. The data exchanged involves hundreds of application program interface (API) data elements, attributes and associated mappings.
Personally Identifiable Information (PII) and PRISM
The PRISM system contains both personally identifiable information (PII) and non-personally identifiable information pertaining to vendors, which are registered within the Central Contractor Registration (CCR system), and DOT's Core Accounting System, DEPLHI. PII is not collected directly by PRISM from vendors and neither CCR nor DELPHI is designed to collect personally identifying information from individuals who are not acting in their entrepreneurial capacities. PII retained within in the PRISM system may include the following PII, where a vendor uses PII in identifying himself or herself in an entrepreneurial capacity:
- vendor's name;
- date of birth;
- social security number;
- mailing address; and
- financial account information.
An individual's PII enters the PRISM system when a vendor submits a proposal or invoice, or when FAA enters a relationship with an individual or organization that requires an accounting relationship through the procurement of goods or services. Typically, the information exists in DELPHI and is made available to PRISM through electronic transfer.
Why PRISM Collects Information
PRISM collects information in order to fulfill basic accounting functions relating to the requisition of goods or services. The PRISM system collects PII only when an individual requires an accounting relationship with FAA.
How PRISM Uses Information
Users of PRISM are involved with the procurement of goods and services as well as the maintenance and security of the supporting information needed to accomplish these tasks for FAA. Included within a wide variety of groups who use PRISM are user organizations with staff functioning as Contracting Officer's Technical Representatives (COTRs); requisitioners of goods and services and their approvers; funds certifiers who ensure that the monies are available and are accurate; the actual Contracting Officer (CO) for each purchase made through PRISM; System Administrators (SAs); and site security officers who ensure that PRISM operates correctly and security requirements are met.
How PRISM Shares Information
PII contained in PRISM is not shared with individuals, organizations, and entities. PII contained within PRISM already exists within the systems for which a data exchange exists.
Three interfaces have been identified that will send, receive or exchange data with PRISM. They are the Logistical Information System (LIS), Federal Procurement Data System Next Generation (FPDS-NG), and DELPHI. The PRISM system communicates with DELPHI through the Oracle Compusearch Interface (OCI).
The PRISM system both delivers to and receives data through the OCI from DELPHI. The exchange of procurement information between PRISM and LIS takes place over a LIS interface.
How PRISM Provides Notice and Consent
Entry of PII into Delphi, and subsequently PRISM, is a necessary condition of any employment relationship, payment, or other financial transaction with FAA. The users of PRISM are presented with an electronic form detailing the Rules of Behavior established by PRISM operators to alert users of notice and consent to monitoring their actions prior to login.
How PRISM Ensures Data Accuracy
Much of the information regarding an individual is provided by that individual through the CCR. In some cases a DELPHI user may enter the information. Each of these systems has mechanisms, and the responsibility, to ensure data accuracy.
Under the provisions of the Privacy Act, individuals may request searches of the PRISM file to determine if any records have been added that may pertain to them. This is accomplished by sending a written request directly to the PRISM program office that contains name, authentication information, and information regarding the request. Only those individuals that can change CCR information are permitted to view that sensitive CCR information in PRISM.
FAA does not allow access through either the Internet or Intranet to the information stored in PRISM.
How PRISM Provides Redress
Under the provisions of the Privacy Act, individuals may request searches of the PRISM files to determine if any records have been added that may pertain to them.
Notification procedure: Individuals wishing to know if their records appear in this system may inquire in person or in writing to the appropriate system manager. Included in the request must be the following:
- Name
- Mailing address
- Phone number and/or email address
- A description of the records sought, and if possible, the location of the records
Contesting record procedures: Individuals wanting to contest information about themselves that is contained in this system should make their requests in writing, detailing the reasons for why the records should be corrected. Requests should be submitted to the attention of FAA official responsible for the record, at the address appearing in this notice.
Federal Aviation Administration
Privacy Office
Attention: Carla Mauney
800 Independence Ave. SW
Washington DC, 20591
For questions relating to privacy go to FAA Privacy Policy: http://www.faa.gov/privacy/
How PRISM Secures Information
PRISM takes appropriate security measures to safeguard PII and other sensitive date. The PRISM application is housed on the agency's dedicated central procurement server. PRISM has one parent site named FAA and 12 child sites named by the individual region, center, or headquarters. There is no hardware or equipment for the PRISM system at any of the child sites. Many system configuration items, such as document numbering and approval authority, are defined at the site level.
Because PRISM users can access the PRISM system through a Web browser, access is only via FAA intranet and operates under the Secure Socket Layer (SSL) encryption technology.
Personnel with physical access have all undergone and passed FAA background checks.
In addition, access to PRISM PII is limited according to job function, through system-defined security groups. PRISM access control privileges are set according to the following roles:
- PRISM User
- Site Administrator
- System Administrator
The following matrix describes the levels of access and safeguards around each of these roles as they pertain to PII.
| Role | Access | Safeguards |
|---|---|---|
| PRISM User |
|
|
| Site Administrator |
|
|
| System Administrator |
|
|
In addition to the requirements of the Federal Information Security Management Act of 2002 (FISMA), a Security Certification and Accreditation (C&A) was completed for PRISM. The C&A process is an audit of policies, procedures, controls, and contingency planning, required to be completed for all federal government IT systems every three years. All relevant policies, procedures and guidelines, including National Institute of Standards and Technology (NIST) Special Publication 800-53, have been followed to ensure the security of the system and the information it contains.
How Long PRISM Retains Information
Data in PRISM is maintained for Archived system audit logs and backup data is stored for a minimum of two (2) years.
System of Records
PRISM is a system of records subject to the Privacy Act because it is searched by Vendor Number and Taxpayer ID Number, which could possibly be an individual's social security number. The Privacy Act System of Records Notice is: DOT/ALL 7 Departmental Accounting and Financial Information System, DAFIS.