Policy Document

You are here

PIA - ASH External Web Portal - Vendor Application (VAP)

DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration

  Privacy Impact Assessment

  ASH External Web Portal - 
  Vendor Application 
  https://vap.faa.gov 

August 3, 2009


Overview of Privacy Management Process

The Federal Aviation Administration (FAA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs to ensure the safest, most efficient aerospace system in the world. The FAA is responsible for: 

  • Regulating civil aviation to promote safety; 
  • Encouraging and developing civil aeronautics, including new aviation technology; 
  • Developing and operating a system of air traffic control and navigation for both civil and military aircraft; 
  • Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and 
  • Regulating U.S. commercial space transportation.. 

One of the programs that helps the FAA fulfill this mission is the OPERATIONAL AND SUPPORTABILITY IMPLEMENTATION SYSTEM (OASIS), which is a system providing the capabilities for acquiring and displaying weather graphics products, emergency services, law enforcement, administrative and supervisory capabilities, flight planning and regulatory information and system maintenance functions. 

One of the programs that helps the FAA fulfill this mission is the ASH External Web Portal - Vendor Application (VAP), which is a method to electronically gather basic information on contractors from contract companies in order to expedite the enrollment process for contract employees, and to improve database content and accuracy. 

The VAP provides contract companies the ability to send information to ASH Personnel Security Specialists quickly and easily through a secure web site.

Personally Identifiable Information (PII) and Vendor Application

The Vendor Application (VAP) system contains both personally identifiable information (PII) and non-personally identifiable information pertaining to contractor personnel. PII collected in the VAP includes: 

  • First name 
  • Middle initial 
  • Last name 
  • Social security number 
  • Date of birth 
  • Email address 
  • Place of birth - city, State, country 

An individual's PII is entered into the VAP by a contract company representative. The representative browses to the VAP Web site, and logs in using an account and password previously arranged with the Office of Security and Hazardous Materials. The representative enters the individual contractor's information into a form in the browser and submits it over an encrypted https link to the VAP database server.

Why Vendor Application Collects Information

The VAP collects information in order to get the enrollment process for contract employees started more quickly and efficiently, as well as to improve database content and accuracy.

Legal Authority for Information Collection

Title 49 U.S.C., chapter 449, Air Transportation Security, enacted as Pub. L. 103-272 on July 5, 1994; Transportation Safety Act of 1974; FAA Drug Enforcement Assistance Act of 1988; Executive Order (E.O.) 10450, Security Requirements for Government Employment; E.O. 12968, and E.O. 12829.

How Vendor Application Uses Information

Information in the VAP is used by FAA personnel security specialists to gather basic information on contractors from contract companies, in order to get the enrollment process started more quickly and efficiently, as well as to improve database content and accuracy.

How Vendor Application Shares Information

PII contained in the VAP is shared only between the contract company and FAA personnel security specialists. The contract company representative enters data into VAP, which then electronically transfers the data to the ASH ITS (Investigations Tracking System) application for review by the FAA personnel security specialist.

How Vendor Application Provides Notice and Consent

For an individual's PII to be included in the VAP, that individual must be applying for a contract employee position with FAA. The contractor applicant must also complete and submit a SF-85P "Questionnaire for Public Trust Positions", which contains the notice: "Giving us the information we ask for is voluntary. However, we may not be able to complete your investigation, or complete it in a timely manner, if you don't give us each item of information we request. This may affect your placement or employment prospects."

How Vendor Application Ensures Data Accuracy

PII collected in the VAP is manually input by the contractor company representative into a web browser, using the VAP online input form. Once the data is transferred into the FAA ITS, the data is verified and cross-checked against the data submitted directly by the contractor on his SF-85P form. The FAA Personnel Security Specialist responsible for investigating the individual can determine if there are any inaccuracies in the data submitted in the VAP by contacting the individual directly. 

Under the provisions of the Privacy Act, individuals may request searches of the FAA ITS file to determine if any records have been added that may pertain to them. (Records would only be added if they have applied for a contractor position with the FAA.) This is accomplished by sending a written request to the FAA Security and Hazardous Materials Investigations program office that contains name, authentication information, and information regarding the request.

How Vendor Application Provides Redress

Contractors applying for positions with the FAA can change data submitted through the VAP by submitting an SF-85P with the correct information, and contacting the Personnel Security Specialist handling their investigation in the FAA Security and Hazardous Materials Investigations program office. 

   Office of the Assistant Administrator for Security and Hazardous Materials
   Federal Aviation Administration
   800 Independence Avenue, SW
   Washington, DC 20591

How Vendor Application Secures Information

The VAP takes appropriate security measures to safeguard PII and other sensitive date. The contract company representative must first log into the VAP using a user name and password provided by FAA. The entire session is encrypted using https, so that the PII data is protected during transmission to the VAP database server in the ASH External Web Portal. The database is protected behind the FAA ENET firewalls as well as behind the firewall on the ASH External Web Portal subnet. Every 30 minutes any data that has been submitted to the VAP database is transferred to the database server for the ITS application, and the data is erased from the VAP database server. 

In addition, access to the ASH External Web Portal - Vendor Application PII is limited according to job function. The ASH External Web Portal - Vendor Application access control privileges are set according to the following roles:

  • User (Level 3) - Contractor Representative
  • User (Level 2) - FAA Personnel Security Specialist
  • System Administrator - FAA ASH System Engineers and DBA

The matrix below describes the levels of access and safeguards around each of these roles as they pertain to PII.

Role Access Safeguard

User (Level 3)

Contractor Representative

  • Submit new records (no access to data already submitted)
  • Access and change own profile information
  • User-set user name and password
  • Account set-up approved by User (Level 2)
  • Passwords expire after a set period
  • Minimum length of passwords is 8 characters
  • Passwords must be combination of alpha/numeric/special characters
  • Accounts are locked after a set number of incorrect log-in attempts

User (Level 2)

FAA Personnel Security Specialist

  • Submit new records in ITS
  • Change existing records in ITS
  • Create (Level 3) account for Contractor Representatives
  • Access and change own profile information
  • Access and change User (Level 3) profile information
  • User-set user name and password
  • Account set-up approved by Site Administrator (Level 1)
  • Passwords expire after a set period
  • Minimum length of passwords is 8 characters
  • Passwords must be combination of alpha/numeric/special characters
  • Accounts are locked after a set number of incorrect log-in attempts
System Administrator
  • Search and view user names and profile information
  • Grant User (levels 2 and 3) accounts, reset account passwords, view access log information
  • Delete profiles (without viewing full profile information)
  • View, search, add, change, and delete all information in database
  • User-set user name and password
  • Account set-up approved by OIG management
  • Passwords expire after a set period
  • Minimum length of passwords is 8 characters
  • Passwords must be combination of alpha/numeric/special characters
  • Accounts are locked after a set number of incorrect log-in attempts
  • Must access system from limited number of computers, each of which also has user name/password access control.

How Long Vendor Application Retains Information

Data in the ASH External Web Portal - Vendor Application is maintained for up to 30 minutes before being transferred to the ITS database.

System of Records

The ASH External Web Portal - Vendor Application transfers information to the ITS, which is an application on the ASH Internal Web Portal. The ITS is a part of the Investigative Record System, which is a system of records subject to the Privacy Act.

Updated: Tuesday, April 9, 2013