ISMS collects the same list of personally identifiable information (PII) as outlined in the PSAMS Privacy Impact Assessment (PIA).

The primary difference in the amount and type of information collected and stored is that potentially disqualifying issues that may be identified during the adjudicative review process are documented and tracked within ISMS.

In addition, the results from NCIC checks, credit checks, FBI name checks, and background investigations may be stored.

This information is stored to centralize case related documents and to shorten review and approval times associated with case processing.

The Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004, codified in Executive Order 13381 (6-27-05), mandates that agencies ensure the appropriate uniformity, centralization, efficiency, effectiveness, timeliness, and reciprocity of determining eligibility for access to classified national security information.

Centralization and automation of related data as described in this update directly supports this mandate. Specific security roles have been defined within the application to control access to the data and the data is stored in encrypted fields or secured with file permissions if included as an attachment.

The ISMS system also introduces an information security (INFOSEC) module to support the tracking of classification authorities, guides, containers, documents, courier cards, DD254, and other INFOSEC related activities.

The INFOSEC module integrates with the personnel security module (PERSEC) for identifying owners of INFOSEC elements (e.g., name, clearance level), but does not expose any other PII information to that module.

Depending on the type of investigation required, Executive Orders 10450, 10865, 12333, 12356, 12968 and 13311; Title 5 US Code (USC), sections 3301 and 9101; 42 USC sections 2165 and 2201; 50 USC sections 781 to 887; 5 Code of Federal Regulations (CFR) sections 5, 731, 732, and 736 provide the basis for collecting information regarding background investigations for suitability determination and National Security positions.

Protection of information associated with the system is described in DHS Management Directive (MD) 11042.1 Safeguarding Sensitive and Unclassified Information (FOUO), and DHS Policy for FOIA Compliance MD 0460.1

The only additional risk associated with this update is that additional information is being collected as outlined above. These risks are mitigated with the following security controls:

• Specific security roles have been defined and implemented within the application to control access to the additional information.

• Any additional information stored in large text fields will be stored in an encrypted form in the database • When this additional information is stored as an attachment on the server, file access will be restricted by file permissions to prevent access by those without an appropriate requirement for access.

• Network access to the application is made via a Secure Sockets Layer (SSL) connection to the ISMS environment.