Privacy Impact Assessment Statement
Prepared by: Thomas Cochran
Project: Commerce Business Environment (CBE) – Commerce Standard Acquisition Reporting System (CSTARS)/C.Buy
Unique Project Identifier: 006-98-01-01-01-0500-00-405-146
The Commerce Standard Acquisition Reporting System (CSTARS) is an enterprise-wide, client/server contract writing system based on Comprizon.Buy software that automates many key Department of Commerce (DoC) acquisition processes. C.Buy is the proprietary contract writing software used by the contracting and purchasing module of CSTARS. To support the mission and objectives of Commerce and the Office of Acquisition Management and Financial System (OAMFA), the CSTARS program was first implemented in FY2000 as a way to integrate, consolidate, and streamline the various acquisition systems and processes that formerly existed. CSTARS has enabled the Department to improve customer service and supports the e-Government mandates and initiatives.
CSTARS has been successfully rolled out in four of the five bureaus of Commerce that warrant delegated procurement authority. These include: The Office of the Secretary (OS); The Bureau of the Census, The National Institute of Standards and Technology (NIST), and at their five Administrative Service Centers (ASC) and seventy field offices within the National Oceanic and Atmospheric Administration (NOAA). The Patent and Trademark Office (PTO) utilizes Momentum, another commercial off-the-shelf (COTS) solution for their acquisition needs and does not currently have plans to migrate to CSTARS.
CSTARS is operated and managed in two locations. The Office of Computer Services (OCS), under the Chief Information Officer, hosts acquisition data for Census, OS, and NOAA. OCS provides each bureau with their own environment that includes a separate instance of the CSTARS application and Oracle database. Although it also uses CSTARS, NIST operates and maintains a separate instance at their Gaithersburg, Maryland offices. While each bureau's data is currently stored in disparate databases, Commerce is utilizing a data warehouse solution that provides for enterprise-wide reporting capabilities.
While CSTARS is currently implemented in a client/server environment, it does utilize Citrix Metaframe as an application server. Citrix provides increased system efficiency by shifting most of the processing from the local client to the application server. All application logic executes on the server and only screen updates (i.e. “screen images”), mouse movements and keystrokes are transmitted via Citrix. This reduces the amount of data transferred between the client and server, thus, alleviating potential network bandwidth issues.
In addition to the primary procurement systems, Commerce utilizes numerous ancillary systems to support their acquisition processes. These include: C.Request, the electronic method for Commerce offices to submit procurement requests to the contracting office; the Enterprise Acquisition Reporting System (EARS); Commerce Business System (CBS); and the OAMFA Web pages. Currently, each bureau utilizes a combination of these systems to meet their acquisition needs.
1. What information is to be collected (e.g., nature and source)?
CSTARS/C.Buy imports and uses personally identifiable information (PII) from the Central Contractor Registration (CCR). CCR, which is operated by the General Services Administration (GSA), is the primary registrant database for contractors who desire to conduct business with the federal government. Individuals who desire to do business with the federal government are considered Sole Proprietors for the purposes of CCR registration. To register in CCR, the Sole Proprietor must provide the Sole Proprietor (personal) name, vendor/business name, addresses, taxpayer identification number (TIN), bank routing number, bank account number, business proprietary information, and similar PII and business identifiable information (BII). A Sole Proprietors may use his or her Social Security Number (SSN) instead of a TIN. Approximately five percent of CCR registrants are Sole Proprietors.
A TIN is a nine-digit number, which is either an Employer Identification Number (EIN) assigned by the Internal Revenue Service (IRS) or a Social Security Number (SSN) assigned by the Social Security Administration (SSA). Agencies are required to collect TINs [Debt Collection Improvement Act, 31 U.S.C. 7701(c)] and to include the TIN in vouchers submitted for payment [31 U.S.C. 3325 (d)]. The CCR allows individuals operating as Sole Proprietors to use their SSN in place of the EIN/TIN.
CCR PII will be imported into and used by CSTARS/C.Buy in those relatively few instances where the Department of Commerce may contract with a Sole Proprietor to purchase goods or services.
2. Why is the information being collected (e.g., to determine eligibility)?
Information is required as part of the federal acquisition process for services, goods, and
materials provided by the vendor community to the federal government. Having the correct TIN in CCR improves data collection by allowing a single point of data entry for those that desire to do business with the federal government. Since October 1, 2003, it is federally mandated that any business wishing to do business with the federal government under a Federal Acquisition Regulation (FAR) based contract must be registered in CCR before being awarded a contract [FAR 4.1102 (October 1, 2003), and Federal Acquisition Circular (FAC) 2001-16]. In addition, this information is used in the Commerce’s Core Financial System, a module of the Commerce Business System (CBS), to make timely payments to these vendors for their services and materials.
3. What is the intended use of the information (e.g., to verify existing data)?
The information is used for the acquisition and payment of goods and services by NOAA, Census, OS, and NIST in support of their missions. Data is shared as required by the FAR.
4. With whom will the information be shared (e.g., another agency for a specified programmatic purpose)?
Other federal agencies, as required by the FAR.
5. What opportunities do individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), and how can individuals grant consent?
Since October 1, 2003, it is federally mandated that any business wishing to do business with the federal government under a FAR-based contract must be registered in CCR before being awarded a contract [FAR 4.1102 (October 1, 2003), and FAC 2001-16]. Failure to provide this information will render the contractor (Sole Proprietor) ineligible to obtain a FAR-based contract.
6. How will the information be secured (e.g., administrative and technological controls)?
The information in CSTARS/C.Buy is protected by a user identification/password that is issued only to authorized federal government contracting or finance officers, who are granted access to this information so that they can ensure payments are made properly.
Access to CCR and the personal information it contains is governed by the Interconnection Security Agreement (ISA) between Commerce and the General Services Administration (GSA). The ISA, which is renewed annually, requires that the signatories will adhere to the standards in National Institute of Standards and Technology (NIST) computer security publications, including NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems; and NIST SP 800-53, Recommended Security Controls for Federal Information Systems.
CSTARS/C.Buy has undergone and passed through the Certification and Accreditation process, as defined in OMB Circular A-130. Certification and Accreditation (C&A) is the process of formal assessment, testing (certification), and acceptance (accreditation) of system security controls that protect IT systems and data stored in and processed by those systems. It is a process that encompasses the system’s and ensures that the risk of operating a system is recognized, evaluated, and accepted.
CSTARS/C.Buy adheres to the standards in the Department of Commerce IT Security Program Policy and Minimum Implementation Standards; Appendix III, Security of Automated Information Resources, OMB Circular A-130; the Computer Security Act; and P.L. 107-347, Federal Information Security Management Act (FISMA).
7. Is a system of records being created under the Privacy Act, 5 U.S.C. 552a.?
No. The existing Privacy Act system of records notice for DEPT-2, Accounts Receivable, applies to the personal information in this system.
8. How long will these records be retained?
The retention period for these records is guided by the General Records Schedules (GRS), which are issued by the National Archives and Records Administration (NARA) to provide disposition authorization for records common to several or all agencies of the Federal Government. In accordance with GRS 20, item 3, electronic versions of records scheduled for disposal may be deleted at the expiration of the retention period authorized by the GRS for the equivalent paper copies or when no longer needed, whichever is later. GRS 3, item 3 authorizes the disposal of the equivalent paper copies six years and three months after final payment and closeout of the contract.