Privacy Impact Assessment – DRMS
Page 12
8.2 Will Department contractors have access to the system?
Yes. Department contractors with a need-to-know will have access to DRMS as part of their
regular assigned duties. Contractors are required to undergo mandatory background
investigations commensurate with the sensitivity of their responsibilities, in compliance with
Federal requirements.
8.3 Describe what privacy training is provided to users either generally
or specifically relevant to the program or system?
Annual organizational Privacy Awareness Training is mandatory for all FPAC personnel.
FPAC requires that every employee and contractor receive information security awareness
training before being granted network and account access, per General Manual, Title 270, Part
409 - Logical Access Control and Account Management. Annual Security Awareness and
Specialized Training is also required, per FISMA and USDA policy, and is tracked by USDA.
To remind users of their responsibilities (which they acknowledged during their Annual
Security Awareness Training), the application reiterates that documents passed to DRMS may
contain sensitive information, and this information must not be disclosed to anyone unless the
recipient has a direct need-to-know in the performance of their official duties.
8.4 Has Certification & Accreditation been completed for the system or
systems supporting the program?
No. DRMS anticipates the initial ATO around March 1, 2021.
8.5 What auditing measures and technical safeguards are in place to
prevent misuse of data?
FPAC complies with the FISMA of 2014. Assessment and Accreditation (A&A), as well as
annual key control self-assessments and continuous monitoring procedures are implemented
for PDS per the requirements given in NIST SP 800-53 Revision 4. The system also provides
technical safeguards to prevent misuse of data including the following:
• Confidentiality: Encryption is implemented to secure data at rest and in transit for PDS
[e.g., by Federal Information Processing Standards (FIPS) 140-2 compliant HTTPS and
end-user hard disk encryption]. The documents that are passed to, and maintained in,
DRMS are encrypted in transit.
• Integrity: Masking of applicable information is performed for PDS (e.g., passwords are
masked by eAuth).
• Access Control: PDS implements least privileges and need-to-know to control access to
PII [e.g., by Role-Based Access Control (RBAC)].
• Authentication: Access to the system and session timeout is implemented for PDS (e.g. by
eAuth and via multi-factor authentication for remote access).
• Audit: Logging is implemented for PDS [there is a logging infrastructure including
Application Audit Log Solution (AALS)]. PDS logs events from various devices within its