DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
Office of Financial Services

PRIVACY IMPACT ASSESSMENT

PRISM

April 2010

System Overview

The Federal Aviation Administration (FAA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs to ensure the safest, most efficient aerospace system in the world. The FAA is responsible for:

Regulating civil aviation to promote safety;
Encouraging and developing civil aeronautics, including new aviation technology;
Developing and operating a system of air traffic control and navigation for both civil and military aircraft;
Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
Regulating U.S. commercial space transportation.

One of the programs that help FAA fulfill this mission is PRISM, which supports multiple purchasing sites, electronic routing and approval, requisitioning, electronic notifications, contract management, and post award processing and closeout. PRISM system architecture allows it to integrate and communicate seamlessly with existing systems such as financial or inventory. PRISM software is directly integrated with DOT’s core accounting system, DELPHI. Financial data is exchanged with the Logistical Information System (LIS) server in Kansas City. The data exchanged involves hundreds of application program interface (API) data elements, attributes and associated mappings.

Personally Identifiable Information (PII) and PRISM

The PRISM system contains both personally identifiable information (PII) and non-personally identifiable information pertaining to vendors, which are registered within the Central Contractor Registration (CCR system), and DOT’s Core Accounting System, DEPLHI. PII is not collected directly by PRISM from vendors and neither CCR nor DELPHI is designed to collect personally identifying information from individuals who are not acting in their entrepreneurial capacities. PII retained within in the PRISM system may include the following PII, where a vendor uses PII in identifying himself or herself in an entrepreneurial capacity:

vendor’s name;
date of birth;
social security number;
mailing address; and
financial account information.

An individual’s PII enters the PRISM system when a vendor submits a proposal or invoice, or when FAA enters a relationship with an individual or organization that requires an accounting relationship through the procurement of goods or services. Typically, the information exists in DELPHI and is made available to PRISM through electronic transfer.

Why PRISM Collects Information

PRISM collects information in order to fulfill basic accounting functions relating to the requisition of goods or services. The PRISM system collects PII only when an individual requires an accounting relationship with FAA.

How PRISM Uses Information

Users of PRISM are involved with the procurement of goods and services as well as the maintenance and security of the supporting information needed to accomplish these tasks for FAA. Included within a wide variety of groups who use PRISM are user organizations with staff functioning as Contracting Officer’s Technical Representatives (COTRs); requisitioners of goods and services and their approvers; funds certifiers who ensure that the monies are available and are accurate; the actual Contracting Officer (CO) for each purchase made through PRISM; System Administrators (SAs); and site security officers who ensure that PRISM operates correctly and security requirements are met.

How PRISM Shares Information

PII contained in PRISM is not shared with individuals, organizations, and entities. PII contained within PRISM already exists within the systems for which a data exchange exists.

Three interfaces have been identified that will send, receive or exchange data with PRISM. They are the Logistical Information System (LIS), Federal Procurement Data System – Next Generation (FPDS-NG), and DELPHI. The PRISM system communicates with DELPHI through the Oracle Compusearch Interface (OCI).

The PRISM system both delivers to and receives data through the OCI from DELPHI. The exchange of procurement information between PRISM and LIS takes place over a LIS interface.

How PRISM Provides Notice and Consent

Entry of PII into Delphi, and subsequently PRISM, is a necessary condition of any employment relationship, payment, or other financial transaction with FAA. The users of PRISM are presented with an electronic form detailing the Rules of Behavior established by PRISM operators to alert users of notice and consent to monitoring their actions prior to login.

How PRISM Ensures Data Accuracy

Much of the information regarding an individual is provided by that individual through the CCR. In some cases a DELPHI user may enter the information. Each of these systems has mechanisms, and the responsibility, to ensure data accuracy.

Under the provisions of the Privacy Act, individuals may request searches of the PRISM file to determine if any records have been added that may pertain to them. This is accomplished by sending a written request directly to the PRISM program office that contains name, authentication information, and information regarding the request. Only those individuals that can change CCR information are permitted to view that sensitive CCR information in PRISM.

FAA does not allow access through either the Internet or Intranet to the information stored in PRISM.

How PRISM Provides Redress

Under the provisions of the Privacy Act, individuals may request searches of the PRISM files to determine if any records have been added that may pertain to them.

Notification procedure: Individuals wishing to know if their records appear in this system may inquire in person or in writing to the appropriate system manager. Included in the request must be the following:

Name
Mailing address
Phone number and/or email address
A description of the records sought, and if possible, the location of the records

Contesting record procedures: Individuals wanting to contest information about themselves that is contained in this system should make their requests in writing, detailing the reasons for why the records should be corrected. Requests should be submitted to the attention of FAA official responsible for the record, at the address appearing in this notice.

Federal Aviation Administration
Privacy Office
Attention: Carla Mauney
800 Independence Ave. SW
Washington DC, 20591

For questions relating to privacy go to FAA Privacy Policy: http://www.faa.gov/privacy/

How PRISM Secures Information

PRISM takes appropriate security measures to safeguard PII and other sensitive date. The PRISM application is housed on the agency’s dedicated central procurement server. PRISM has one parent site named ‘FAA’ and 12 child sites named by the individual region, center, or headquarters. There is no hardware or equipment for the PRISM system at any of the child sites. Many system configuration items, such as document numbering and approval authority, are defined at the site level.

Because PRISM users can access the PRISM system through a Web browser, access is only via FAA intranet and operates under the Secure Socket Layer (SSL) encryption technology.

Personnel with physical access have all undergone and passed FAA background checks.

In addition, access to PRISM PII is limited according to job function, through system-defined security groups. PRISM access control privileges are set according to the following roles:

PRISM User
Site Administrator
System Administrator

The following matrix describes the levels of access and safeguards around each of these roles as they pertain to PII.

ROLE	ACCESS	SAFEGUARDS
PRISM User	Submit new requisition records Change existing requisition information Approve requisitions Review requisitions and awards Funds availability research	Requires all users to have a User ID and Password. Approval passwords are separate from login passwords. Assigned to Security Groups to limit functionality by type (e.g., Contracting Officer, Approving Official) Users automatically inactivated based upon agency-defined rules. Users automatically inactivated after a prescribed number of failed login attempts. Passwords expired after a user-defined time period. Prescribed password parameters (e.g., length, character type). Password data is encrypted. Audit log of successful and failed login attempts; log includes the originating IP address.
Site Administrator	Submit new users and assigns security groups Change existing users and security group association Access and change own profile information Access and change User profile information	All User-set user name and password restrictions applicable Account set-up approved by System Administrator Security Group Set-up
System Administrator	Search and view user names and profile information Grant User and Site Administrator accounts, reset account passwords, view access log information Delete profiles (without viewing full profile information)	All User-set user name and password restrictions applicable System level configuration including security groups

In addition to the requirements of the Federal Information Security Management Act of 2002 (FISMA), a Security Certification and Accreditation (C&A) was completed for PRISM. The C&A process is an audit of policies, procedures, controls, and contingency planning, required to be completed for all federal government IT systems every three years. All relevant policies, procedures and guidelines, including National Institute of Standards and Technology (NIST) Special Publication 800-53, have been followed to ensure the security of the system and the information it contains.

How Long PRISM Retains Information

Data in PRISM is maintained for Archived system audit logs and backup data is stored for a minimum of two (2) years.

System of Records

PRISM is a system of records subject to the Privacy Act because it is searched by Vendor Number and Taxpayer ID Number, which could possibly be an individual’s social security number. The Privacy Act System of Records Notice is: DOT/ALL 7 Departmental Accounting and Financial Information System, DAFIS.