Overview

Universal Pre-employment Suitability Transaction Accountability & Reporting Tool (UpSTART) is owned by the DOL OASAM Security Center (SC) and is a subsystem to OutSystems, which is owned by DOL OASAM OCIO. This PIA documentation pertains to the use of UpSTART. The UpSTART application within OutSystems where this application will be hosted is named, "UpStart."

The purpose of UpSTART is to receive information about applicants to, employees of, and contractors for of the U.S. Department of Labor (USDOL) as they are reviewed for suitability or fitness, respectively, and, as applicable, security clearances. The application will be used to track and manage requests for suitability determinations, fitness determinations, and security clearances, handle the internal work flows of OASAM-Division of Security and Suitability (DPSS), and manage the various documents that are generated during the course of these processes.

The application will use role to control access. Additionally, static content (non-PII) will be hosted within the application.

Either a USDOL Human Resources (HR) staff member or USDOL Contracting Officer Representative (COR), from within the USDOL network (VPN or DOL GSS), will submit a webpage into a custom screen with applicant information (PII) and supplemental forms (PII), as required for the type of employment that the individual is being assessed for. The record created by the screen webpage will then be routed by a series of logic-based decision points in a workflow (WF) through various internal DPSS reviews. The application will be used to reflect the updates and status’ that are being performed in other, non-USDOL systems such as USAccess and eQIP. The WFs will provide email notifications (without PII) to persons affected, impacted, or needed to work on the SP list record. The Application will use date/time stamps to help monitor and track service level agreements and internal organizational performance data.

In the UpStart when an individual is favorably adjudicated for federal employment, a summary report and memo are generated into a PDF Document from fields previously entered in the process. This document will be downloadable. The documents are reviewed by a DPSS staff member and digitally signed when the user selects "download" or "generate report". The document is then saved to the HR Repository available to all DPSS and HR Staff. HR Staff who performs eOPF (non-connected system) document upload functions. The creation of the PDF in the file library for HR, triggers an email notification (without PII) to the HR Specialist who performs the uploads to the selected system.

Throughout the entire lifecycle of a transaction in this application, email notifications are generated and pushed in MS Outlook.

The Application will share information with Service Now as a means to convey approvals for personnel to start onboarding process

The Application, has the following components:

  • Submission
    • Webpage used by USDOL HR and COR staff to initiate process
  • Withdrawal
    • Webpage used to notify DPSS that an applicant or contractor has withdrawn from the process and no further suitability/screening needs to be performed
  • Hiring Manager Narrative
    • Webpage to allow a USDOL hiring manager to provide a security clearance justification narrative, as applicable, for applicants who will require access to classified, national security information.
  • Narrative Review
    • Webpage to allow DPSS to review the Hiring Manage narrative to determine if the narrative provided supports the national security clearance requested for an applicant.
  • USAccess Sponsorship
    • Webpage to allow DPSS to review the Submission submitted by USDOL HR/COR staff for accuracy. Additionally, the webpage can be used to provide feedback to the original submitter of deficiencies in Submission. Lastly, the webpage can track the status of when the Submission was accepted for processing in USAccess (non-DOL system).
  • Fingerprinting
    • Webpage to allow DPSS to track the applicant’s/employee’s/contractor’s fingerprinting request, results, and review from USAccess and the Central Verification System (CVS) (non-DOL system).
  • Investigation
    • Webpage to allow DPSS to track the applicant’s/employee’s/contractor’s eQIP (non-DOL system) completion and the outside investigating agency’s (ex. Department of Defense, Defense Counter-Surveillance Agency) progress of conducting and completing a background investigation via CVS.
  • Adjudication
    • Webpage to allow DPSS to track the internal assignment, review, adjudication determination, and final disposition of an applicant’s/employee’s/contractor’s background investigation.
  • Reporting
    • Table and/or dashboard view(s) of data maintained in the application that can be used to track the status’ of individual cases as well as DPSS performance metrics.
  • Administration
    • A group of webpages for transaction logs, user event transaction logs, and data tables used to monitor, diagnose, and resolve issues.

Within the Application, the document library will have the following components:

  • DL1-189
    • A PDF Document that is generated based on logic driven events from the UpStart WF that compiles data from the database and list to provide a generated summary document, internally called a DL1-189
    • The document collets a signature based of authenticated user session from the DPSS Staff member that generates the document.
  • Shared Documents
    • A repository where PDF versions of documents are published to upon completion by DPSS staff and that will be accessible to HR staff for retrieval for uploading into individual employee’s eOPF (manually transacted – no data connection between the systems).
    • A UpStart WF then sends an email to the USDOL HR staff member alerting them to the completed document so that a copy of the DL1-189 can be saved from this Application to the individual employees eOPF.

Additionally, there will be a Repository document library and various other static web pages and content stored within the Application.

  • Use to store HTML, CSS, JavaScript, and image/logo files, along with other content necessary for the presentation, customization, and user experience within the Application.

This PIA document is being developed for integration of the UpSTART application within the OutSystems platform. It is provided to ensure that all PII and sensitive information types are documented so that appropriate security measures are implemented. The legal authority to operate the program or system includes the following: 5 CFR 731, 5 CFR 732, and 5 CFR 1400 govern suitability, and national security as applied to the DOL. Also, Executive Orders 12968, 13467, 13488. Program-specific SORN is OASAM-20, Personnel Investigation Records.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

From whom is information to be collected?

The Application collects PII on DOL employees, applicants to DOL, student volunteers, and current and potential contractors of DOL. Most of the PII collected will be from applicants and potential contractors who are likely to be members of the public (U.S. citizens) and/or foreign citizens. No PII from minor children is anticipated to be collected in this Application.

Why is the Information being collected?

The information collected by this Application is necessary in order for OASAM-DPSS to determine the suitability and national security determinations, as appropriate, of applicants and contractors for employment and both physical and network access to DOL assets.

What is the PII being collected, used, disseminated, or maintained?

  • First, Middle, Last Name, and, as applicable, Suffix
  • Date of birth
  • Place of birth
  • SSN
  • Residential address
  • Personal phone numbers
  • Mailing address (e.g., P.O. Box)
  • Personal e-mail address
  • Current & previous business addresses
  • Legal documents or notes (e.g., divorce decree, criminal records)
  • Educational records

OTHER:

  • Job Title
  • Employing Agency (within DOL)
  • Supervisor Name
  • Supervisor Work Email (DOL)
  • Position Risk, Sensitivity, and Clearance Level
  • Duty Station

How is the PII collected?

The PII will be collected is via webpage which will have PII entered by either a USDOL HR staff member or COR directly into the Application. During this type of entry, an attachment will be submitted to the record in the system by the submitter which will also contain PII.

How will the information collected from individuals or derived from the system be checked for accuracy?

The webpage that USDOL HR and COR staff use to submit information will have some validation scripts to ensure that data entered matches the right format and structure prior to submission. Upon submission within UpSTART, DPSS will perform a comprehensive review of all data that is received. This will be accomplished by checking the data against the OF-306 that was submitted as an attachment. DPSS staff will also perform validation checks of the data by comparing the submission against external systems (manually, without any data connections) such as USAccess, CVS, and eQIP. Data that is found to be invalid or incorrect will be returned to the submitter for correction prior to proceeding with suitability and security clearance investigations.

What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?

The Office of Personnel Management (OPM) is authorized to collect this information under US Code Title 5 1302, 3301, 3304, 3328, & 8706. 5 CFR 1104 allows OPM to delegate personnel management functions to other Federal agencies. Public Law 104-134 allows asks Federal agencies to use social security numbers to help identify individuals in agency records. Other controlling guidance relative to personnel security and suitability include 5 CFR 731, 5 CFR 732, and 5 CFR 1400. Also, Executive Orders 12968, 13467, 13488.

Privacy Impact Analysis

The PII stored is subject to a moderate security risk and is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

The privacy risks identified with the amount and type of data collected can be mitigated through the following FedRAMP baseline security controls:

Technical Class Controls

  • Access Control (AC):
    • Access Control Policy and Procedures

      The site owners group, will control the UpSTART Local Admin group and will adhere to the following procedures:

      Requests to add/modify users in this group will need to be authorized by both the Administrative Officer for OASAM and the Director for Personnel Security. In certain unforeseen circumstances where no site owner is able to grant or modify access, OCIO OutSystems Support may infrequently be tasked with this function.

      The UpSTART System Admin group will control all user groups who will access the UpSTART application and will adhere to the following procedures:

      Requests to add a user to the System Admin group will only be authorized by the Director or Deputy Director of Personnel Security.

      Requests to add a user to an HR group will only be accepted from the HR officers from SOL or OIG, or their designee. Requestors from OHR will be limited to supervisors in the Staffing division, the Chief Human Capital Officer, or their designee.

      Requests to add a user to a COR group will be validated with the Chief Procurement Officer or their designee.

      Requests to add a user to a DPSS group will be validated by either the Director or Deputy Director for DPSS or the Director or Deputy Director for Suitability.

    • Account Management
    • Account Management functions will be performed exclusively by users in the UpSTART System Admin group Access Enforcement

      Access will be enforced by written policy that is drafted by DPSS and shared withing DOL.

    • Separation of Duties

      Separation of duties within the system will enforced by limiting the roles that users can perform. For example: a user who has the ability to submit an entry, will not have the ability to clear someone to onboard. Users who have the ability to adjudicate a record for a security clearance will not have the ability to perform pre-adjudication functions in the application for DPSS.

    • Least Privilege

      User groups will have their permissions tailored within OutSystems to only allow for functionality that they need to perform their duties. For example, the ability to delete an entry will be restricted to privileged users in the UpSTART System Admin group.

    • Unsuccessful Login Attempts

      OutSystems uses SSO for login when using Internet Explorer within the DOL GSS. For other web-browsers, users must enter their windows users name and password for login. Repeated unsuccessful login attempts are captured with other unsuccessful login attempts on logs accessible to the ESD.

    • System Use Notification

      OCIO OutSystems Support can access monitors and logging tools to assess system use.

    • Session Lock

      Session lock follows the same system rules for inactivity as a user’s Windows or VPN session.

    • Supervision and Review –Access

      No fewer than once every 30 days, DPSS management will validate the users currently assigned to each permission groups. This will be accomplished by sending a copy of each group’s membership to its authorizer(s).

  • Audit and Accountability (AU):
    • Audit and Accountability Policy and Procedures

      Permissions will be audited by both a system administrator and a DPSS supervisor once every 30 days.

      Actions taken within UpSTART will be continually monitored and subject to both random and periodic audits pursuant to internal DPSS policy. Events deemed relevant to DPSS’ need to conduct audit and accountability activities will be logged in the application by preconfigured workflow events.

    • Auditable Events

      Changes to permissions; users, dates, and times that approvals occurred at various stages of the suitability and adjudication process

    • Content of Audit Records

      Action taken, user who took the action, date, and time of action
    • Audit Monitoring, Analysis, and Reporting
      Identification and Authentication:
    • Identification and Authentication Policy and Procedures
    • Authenticator Management

Operational Class Controls

  • Physical and Environmental Protection (PE)
    • Physical and Environmental Protection Policy and Procedures
    • Physical Access Authorizations
    • Physical Access Control
  • Awareness and Training (AT)
    • Awareness and Training Policy and Procedures
    • Security Awareness
    • Security Training
  • Media Protection (MP)
    • Media Protection Policy and Procedures
    • Media Access
    • Media Storage

Management Class Controls

  • Risk Assessment (RA)
    • Risk Assessment Policy and Procedures

Describe the Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

To disclose pertinent information to the appropriate Federal, State, or local agency responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order, when the disclosing agency becomes aware of an indication of a violation or potential violation of civil or criminal law or regulation.

To disclose information to any source from which additional information is requested (to the extent necessary to identify the individual, inform the source of the purpose(s) of the request, and to identify the type of information requested), when necessary to obtain information relevant to an agency decision to hire or retain an employee, issue a security clearance, and/or to conduct a security or suitability investigation of an individual.

To disclose to a Federal agency in the executive, legislative, or judicial branch of Government, in response to its request, or at the initiation of the agency maintaining the records, information in connection with the hiring of an employee, the issuance of a security clearance or determination concerning eligibility to hold a sensitive position, the conducting of an investigation for purposes of a credentialing, national security, fitness, or suitability adjudication concerning an individual, the classifying or designation of jobs, the letting of a contract, the issuance of a license, grant, or other benefit by the requesting agency, or the lawful statutory, administrative, or investigative purpose of the agency to the extent that the information is relevant and necessary to the requesting agency's decision.

What types of tools are used to analyze data and what type of data may be produced?

MS Excel – computation of service level agreements, processing times, workloads.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No.

If the system uses commercial or publicly available data, please explain why and how it is used.

N/A

Will the use of PII create or modify a “system of records notification” under the Privacy Act?

No.  The uses of PII are previously covered under OASAM-20, Personnel Investigation Records.

Privacy Impact Analysis

The operational storage and use of PII can create the risk of unauthorized access and disclosure. Limited staff have access to the PII originating in UpSTART.  No PII will be transmitted via email which was originally collected by DPSS that is subject to a moderate security risk and is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

The privacy risks identified with the storage and use of PII can be mitigated through the following FedRAMP baseline security controls:

Technical Class Controls

  • Access Control (AC):
    • Access Control Policy and Procedures
    • Account Management
    • Access Enforcement
    • Separation of Duties
    • Least Privilege
    • Unsuccessful Login Attempts
    • System Use Notification
    • Session Lock
    • Supervision and Review –Access
  • Audit and Accountability (AU):
    • Audit and Accountability Policy and Procedures
    • Auditable Events
    • Content of Audit Records
    • Audit Monitoring, Analysis, and Reporting
  • Identification and Authentication:
    • Identification and Authentication Policy and Procedures
    • Authenticator Management

Operational Class Controls

  • Awareness and Training (AT)
    • Security Awareness and Training Policy and Procedures
    • Security Awareness
    • Security Training
  • Media Protection (MP)
    • Media Protection Policy and Procedures
    • Media Access
    • Media Storage

Management Class Controls

  • Planning (PL)
    • Security Planning, Policy, and Procedures
    • Rules of Behavior
  • System and Services Acquisition (SA)
    • Systems and Services Acquisition Policy and Procedures
    • Software Usage Restrictions
    • Security Design Principles

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

What is the retention period for the data in the system?

For the duration of the employment or contract relationship, or 20 years, whichever is longer.

Is a retention period established to minimize privacy risk?

Yes. The retention period is established to minimize privacy risk in accordance with OASAM-20, Personnel Investigation Records.

Has the retention schedule been approved National Archives and Records Administration (NARA)?

Yes, UPSTART records are covered under the General Records Schedule 6.1 & 5.6.

Per M-O7-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

UPSTART follows the NARA Capstone approach for data retention and elimination of records (including PII) after the retention record period has expired.

Have you implemented the DOL PII Data Extract Guide for the purpose of eliminating or reducing PII?

No.

How is it determined that PII is no longer required?

A determination as to when PII is no longer required within the system, is performed as part of periodic program reviews and data calls, annual ATO document review, including System Categorization, Privacy Threshold Analysis and Privacy Impact Assessment.

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.

PII is masked through the use of encryption for data in transit and at rest.

Privacy Impact Analysis

The risk of unauthorized access and unauthorized disclosure is proportionally increased by the length of time in which the data is retained. The key security controls to ensure that PII is properly protected include:

Operational Controls

  • System and Information Integrity (SI)
    • Information Handling and Retention

Privacy Controls

  • Data minimization and Retention (DM)
    • Minimization of personally Identifiable Information
    • Data Retention and Disposal
    • Minimization of PII Used in Testing, Training, and Research

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

Office of Human Resources, SOL HR, and OIG HR offices performing staffing functions, and Contracting Officer Representatives onboarding contractors within DOL will be sharing PII with DPSS through UpSTART. The PII is collected for to perform prescreening of federal and contract personnel and to initiate/review/process/adjudicate background investigations and security clearances.

How is the PII transmitted or disclosed?

PII is saved within the UpSTART application and will only be accessed via permissions groups administered by the aforementioned privileged user groups. PII will be disclosed by DPSS in the execution of day-to-day business to perform reciprocity checks using CVS and initiate background investigations via eQIP, where appropriate and within DPSS’s existing authority and jurisdictional purview.

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

DPSS will undertake periodic program reviews aimed at addressing the sharing of PII to determine if the information is no longer required, and as appropriate, to stop the transfer of sensitive information. Additionally, DPSS has implemented functionality to withdrawal a subject from further suitability and clearance adjudications. In doing so, DPSS will terminate agency actions relevant to the applicant processing and stop the transfer of sensitive information.

Privacy Impact Analysis

When information is shared, there is always a risk that the sharing partner does not have the appropriate authorized access level resulting in unauthorized disclosure. The PII stored in UPSTART is subject to a moderate security risk and is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

The key security controls to ensure that access to PII is properly authorized include:

Technical Controls

  • Access Control (AC)
    • Information Sharing
  • Audit and Accountability (AU):
    • Audit and Accountability Policy and Procedures
    • Auditable Events
    • Content of Audit Records
    • Audit Monitoring, Analysis, and Reporting

Operational Controls

  • Media Protection (MP)
    • Media Access
    • Media Marking
    • Media Storage
    • Media Transport
    • Media Transport/Cryptographic Protection

Privacy Controls

  • Use Limitation (UL)
    • Internal Use

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

System streamlines existing process where PII is shared with the investigating agency, currently Department of Defense, to conduct investigations to determine suitability for employment/contract work with the federal government. However, this sharing will take place outside of the application and will not involve any data connections.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Yes; SORN OASAM 20 – Personnel Investigation Records (https://www.dol.gov/sol/privacy/dol-oasam-20.htm).

How is the information shared outside the Department and what security measures safeguard its transmission?

Information is used to access/route investigations to non-DOL systems: USAccess, CVS and eQIP. Security of these systems are maintained by DOD and access is governed by a portal accessed via an approved user’s PIV card, then additional login to each system, respectively.

How is the information transmitted or disclosed?

System entry/routing through non-DOL systems: USAccess, CVS and eQIP. Security of these systems are maintained by DOD and access is governed by a portal accessed via an approved user's PIV card, then additional login to each system, respectively.

Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If yes, include who the agreement is with and the duration of the agreement.

Yes, an MOU is in place and the agreement reflects the scope of information shared. Please reference 19-MOU-215 between the OASAM Security Center and DOD, Defense Counterintelligence Security Agency. The agreement is in effect through 9/30/2024.

How is the shared information secured by the recipient?

DOL submits the information to the recipient (DOD) via the recipient’s secure systems (i.e., USAccess, CVS and eQIP).

What type of training is required for users from agencies outside DOL prior to receiving access to the information?

Non-DOL users will not have access to this OutSystems subsystem. Guidance on accessing/using the DOD systems may be accessed at https://www.dcsa.mil/mc/tec/upcoming_courses/.

Privacy Impact Analysis

UPSTART does not share PII with external outside organizations as part of the normal business process. This system will be used as a case management system to streamline existing processes where PII is shared with external organizations via secure non-DOL systems. However, in the unlikely event that information needs to be shared, there is always a risk that the sharing partner does not have the appropriate authorized access level which could result in unauthorized disclosure. The key security controls to ensure that access to PII is properly authorized include:

Technical Controls

  • Access Control (AC)
    • Information Sharing
  • Audit and Accountability (AU):
    • Audit and Accountability Policy and Procedures
    • Auditable Events
    • Content of Audit Records
    • Audit Monitoring, Analysis, and Reporting

Operational Controls

  • Media Protection (MP)
    • Media Access
    • Media Marking
    • Media Storage
    • Media Transport
    • Media Transport/Cryptographic Protection

Privacy Controls

  • Use Limitation (UL)
    • Internal Use

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, please explain.

While UPSTART does not provide notice to individuals, they are notified prior to collection of PII via the information stated on the OF-306 and introductory web pages of the eQIP application. This information is documented on SORNs OASAM-20 and OPM Central 9. For DOL Systems which transmit PII via UPSTART email, including Privacy Act requests, DOL has provided appropriate public notice of the collection of information necessary to process requests under the statutes in full compliance with the law and OMB guidance.

Do individuals have the opportunity and/or right to decline to provide information?

Yes.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

Individual submission of the information is voluntary. Forms utilized to capture the information describes the intended use of the information.

Privacy Impact Analysis

The privacy risk is unauthorized access and disclosure of PII. DOL shall not disclose, nor make available, any personal data except with the consent of the individual concerned or by authority of law. DOL shall, when appropriate and required by law, provide access to, and a process for amending, personal information in accordance with the Privacy Act of 1974.

DOL policy provides guidance for use of notice and collection of data and advising DOL Federal and contractor support of penalties regarding improper use of DOL information via notifications and confidentiality agreements (e.g., system access notification, computer security and privacy awareness training, contractor Confidentiality/Non-Disclosure Agreement, System Access Request Forms, and Rules of Behavior).

Privacy Controls

  • Transparency (TR)
    • Privacy Notice
    • System of Records Notices and Privacy Act Statements
    • Dissemination of Privacy Program Information

Individual Access, Redress, and Correction

The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their own information?

Individuals would need to contact the DOL organizations(s) with which they interact, to gain access to their information. For investigative records, individuals would submit a first-party FOIA request directly to the investigation service provider, DoD.

What are the procedures for correcting inaccurate or erroneous information?

DOL DPSS staff perform a review of the information provided and check non-DOL systems. Any inaccurate or erroneous information is corrected via updated documents with supporting identification materials, as needed.

How are individuals notified of the procedures for correcting their own information?

Processes are documented in the Division of Personnel Security & Suitability Standard Operating Procedures and the DPSS Business Process Guide.

If no formal redress is provided, what alternatives are available to the individual?

DOL DPSS staff perform a review of the information provided and check non-DOL systems. Any inaccurate or erroneous information is corrected via updated documents with supporting identification materials, as needed.

Privacy Impact Analysis

There is minimal risk to the data integrity of PII stored in the UPSTART because it is well protected by numerous security controls.

Data integrity is primarily accomplished through authorized restrictive access to information in the system.
The key security controls to ensure the integrity of PII include:

Operational Controls

  • System and Information Integrity (SI)
    • Information Input Validation
    • Error Handling
    • Information Handling and Retention

Privacy Controls

  • Individual Participation and Redress (IP)
    • Consent
    • Individual Access
    • Redress
    • Complaint Management
  • Data Quality and Integrity (DI)
    • Data Quality
    • Data Integrity and Data Integrity Board

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)

DPSS Personnel Security Specialists and Assistants have full access to the PII in the system. Human Resources Specialists and Contracting Officer Representatives enter and have access to the PII stored by the system, only when the individual record is entered by them or would be required as part of their work unit duties. Hiring Managers have very limited access to PII and only to the extent necessary to facilitate their clearance review process. Agency Administrative Officers have very limited access to PII via a dashboard view for subjects within their agencies. IT Specialists with significant information services responsibilities have a more general access to PII stored by the systems. Public users have no access to UPSTART.

Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.

Yes, the information is accessed by DOL contractor support staff within OCIO, for the purpose of providing technical support for the cloud implementation. DOL contract support staff within DPSS would have access to process cases submitted to DPSS.

Does the system use "roles" to assign privileges to users of the system? If yes, describe the roles.

Yes. Roles are separated into privileged users, with privileged user roles being separated into varying degrees of permissions based on the business and security functions that they fulfill.

What procedures are in place to determine which users may access the system and are they documented?

Access Control procedures are in place and documented in accordance with DOL and DOL computer security guidelines and the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.
A formally documented user access and account management procedures are in place to grant access to the system. Agency Approval of User Access procedure including request forms and Rules of Behavior concurrence are two of the documented products within the guidelines established by DOL for completion prior to access. Upon completion, Role Based Access controls will be implemented on the approved account.

The applicable NIST SP 800-53 management, operational and technical controls access control requirements are implemented in UPSTART.
Highlights of the access procedures include:

  • Rules of Behavior
  • two-factor authentication
  • login via Windows Active Directory Services and Cisco VPN
  • access provided strictly on the basis of approved authorizations
  • automatic removal of inactive access accounts
  • least privilege access based on role.

Additionally, application logs capture system interactions and are reviewed periodically to ensure only authorized person access the information system.

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.

Roles are implemented in accordance with a Role-Based Access Control matrix developed after analysis of business, administrative, and security roles. Forms are completed and archived as part of the onboarding process and verification and auditing of these roles is accomplished by periodic review of these forms and the Role-Based Access Control enforcement mechanisms. Training for users is provided at least annually and must be completed by the end of the fiscal year.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

Mandatory DOL Information Systems Security Privacy and Awareness Training are provided to all employees and contractors of DOL on an annual basis.

What auditing measures and technical safeguards are in place to prevent misuse of data?

Within UPSTART there are specific users roles (groups) defined which provide varying levels of access to data stored in UPSTART. Critical functions are divided among different individuals based on their security group/role assignment.

Auditing functionality exists within UPSTART to allow for user, account management, and privileged user actions to be recorded in an audit log and backed up for a specified period of time. Audit information stored includes: type of audit event, date and time audit event occurred, User ID, command used to initiate the audit event, success or failure of audit event and event result.

System logs are reviewed periodically to ensure only authorized persons access information.

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

Yes. This will be new security assessment and authorization.

Privacy Impact Analysis

The PII stored within UPSTART is limited to information necessary for the Agency to carry out its duties. It is well protected in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects. UPSTART does not interface with any other systems except its hosting network infrastructure.

The privacy risks identified with unauthorized access and disclosure can be mitigated through the following FedRAMP baseline technical security controls:

Technical Class Controls

  • Access Control (AC):
    • Account Management
    • Access Enforcement
    • Information Flow Control
    • Separation of Duties
    • Least Privilege
    • Unsuccessful Login Attempts
    • System Use Notification
    • Session Lock
    • Supervision and Review – Access
  • Audit and Accountability (AU):
    • Audit and Accountability Policy and Procedures
    • Auditable Events
    • Content of Audit Records
    • Audit Monitoring, Analysis, and Reporting
  • Identification and Authentication (IA):
    • Authenticator Management
  • System and Communications Protection (SC):
    • Boundary Protection
    • Transmission Integrity
    • Transmission Confidentiality
    • Cryptographic Protection
    • Protection of Information at Rest

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?

The UPSTART system was built from the ground up in DOL Outsystems Low Code Platform.

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

Data integrity, privacy and security were analyzed during the early phases of the System Development Lifecycle Management Methodology (SDLCMM) by evaluating the information types needed to successfully achieve functional requirements, categorizing the information types in accordance with the FIPS 199 Security Categorization methodology outlined in NIST Special Publications, the Department of Labor Manual Series and DOL Computer Security Handbook, and determining the risk impacts associated with those information types to arrive at a high watermark. This was used to determine the applicable security control baseline. This baseline was then tailored to the system architecture and other business security factors. Controls were implemented and assessed for effectiveness, and the residual risk was analyzed, and mitigating factors documented.

What design choices were made to enhance privacy?

Implementation of encryption technologies, architectural enhancements to provide information flow control, programmatic filtering, user and role-based web-part targeting, and Role-Based Access Control were implemented to enhance privacy.

For systems in development, what stage of development is the system in, and what project development life cycle was used?

UPSTART is in the development phase using Agile methodology.

For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

No, only test accounts and test data are used in development.

PII Reduction

Is any part of the PII collection voluntary?

No. The PII collection is mandatory and is required by governing policies for onboarding.

If any part of the PII collection is voluntary, what efforts are being made to redact, mask, anonymize or eliminate PII from this system?

UpSTART complies with the overall DOL PII and Social Security Number reduction guidance as issued by DOL and DOL, including policies restricting the use of email to transmit SSN.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • DOL has completed the PIA for the UpSTART system which is currently in development. DOL has determined that the safeguards and controls for this moderate system adequately protect the information.
  • DOL has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.