PTA –To determine if system deals with PII. PTA is positive if PII is collected if not PTA is negative. SP 800-122
PIA is conducted if PTA is positive-Identify risk for collecting PII and controls in place to protect the PII. PIA applies to system (Federal Facilitated Market Place website) and SORN applies to program (e.g. Obamacare-the Affordable Care Act). Federal Facilitated Market Place website is one of the numerous systems that support the Obamacare. SP 800-122
TPWA: OMBMemorandum 10-23 requires that agencies assess third-party Websites and applications to ensure privacy before using them. Example CMS page on Facebook. CMS needs to complete TPWA on Facebook before creating a Facebook page
SORN is generally required when a group of records maintained by a federal system contains PII and that PII is retrieved by information unique (name, address, email address, telephone number, social security number, etc.) to the individual whose PII is being retrieved(SORN identifies purpose for collecting PII, ensuring accuracy and how the PII is protected). SORN applies to Programs (e.g. Obamacare) not systems.
OMB Number: The Paperwork Reduction Act mandates that all federal government agencies receive approval from OMB—in the form of a “control number”—before promulgating a paper form, website, survey or electronic submission that will impose an information collection burden on the general public (Only applicable from 10 people and above). This only applies if the agency is collecting the information directly from the public not from another agency or system.
E-authentication is applicable when system is accessible remotely. This identify the appropriate authentication mechanism base on risk- single multifactor etc… SP 800-63.
FIPS199Risk Assessment ReportE-AuthenticationPrivacy ThresholdAnalysis (PTA)Privacy Impact Analyst (PIA) System Of Records Notice (SORN)