• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

SORN 09-90-0411

System name:  HHS Consolidated Acquisition Solution (HCAS), HHS/ASFR.

Security classification:  None.

System location:  NIH Center for Information Technology, 10401 Fernwood Road, Bethesda, MD 20817.

Categories of individuals covered by the system:  Information is collected on HHS Contracting Officers and HHS vendors who are service fellows or sole proprietorships that provide vendor services as individuals.

Categories of records in the system:  HCAS records include HHS statements of work, purchase requests, requests for proposals (RFPs), bids, proposals, vendor invoices, requisitions, contract awards, contract modifications, progress reports, financial status reports, audit reports, and contract deliverables.

Individual Information in Identifiable Form (IIF) contained in these records includes names of HHS contracting officers, vendor names, mailing addresses, phone numbers, financial account information, legal documents, Web URLs, and e-mail addresses and may include Social Security numbers when a vendor Tax Information Number (TIN) is not available.

Authority for maintenance of the system:  As an IT investment, HCAS is governed by the HHS IT Investment Review Board (ITIRB), as part of the HHS Capital Planning and Investment Control (CPIC) process, as managed by the HHS Office of the Chief Information Officer (OCIO). CPIC is mandated by the Clinger-Cohen Act which requires agencies to use a disciplined process toacquire, use, maintain and dispose of information technology. The OCIO exercises authorities delegated by the Secretary to the Deputy Assistant Secretary for Information Technology, as the CIO for HHS. These authorities derive from the Clinger-Cohen Act of 1996, the Paperwork Reduction Act of 1995, the Computer Matching and Privacy Act of 1988, the Computer Security Act of 1987, the Federal Information Security Management Act (FISMA), the National Archives and Records Administration Act of 1984, the Competition in Contracting Act of 1984, the Federal Records Act of 1950, OMB Circulars A–130 and A–11, Government Printing and Binding Regulations issued by the Joint Committee on Printing, and Presidential Decision Directive 63.

In addition to the ITIRB oversight, HCAS falls within the governance of the HHS Office of Grants and Acquisition Policy and Accountability (OGAPA).


HHS has acquisition offices across 10 Operating/Staff Divisions, which conduct and process thousands of procurement transactions annually. The HHS acquisition community requires a transaction-based, integrated procurement system that is consistent across the entire HHS. Except for the Centers for Disease Control and Prevention (CDC), HHS utilizes the acquisition processing and management functionality of Purchase Request Information System (PRISM), a commercial off-the-shelf (COTS) application from Compusearch Software Systems. Except for CDC and Centers for Medicare and Medicaid Services (CMS), HHS utilizes the requisitioning functionality in Oracle i-Procurement, a package available within Oracle Federal Financials, the software utilized by the Unified Financial Management System (UFMS), the HHS enterprise financial management system.

The HHS Consolidated Acquisition System delivers a standardized global PRISM for all operational contracting components within HHS (except CDC) that utilize UFMS (referred to as HCAS clients). HHS deployed HCAS to the following seven HCAS client contracting offices: Agency for Healthcare Research and Quality (AHRQ), Assistant Secretary for Preparedness and Response (ASPR), Food and Drug Administration (FDA), Program Support Center (PSC), Health Resources and Services Administration (HRSA), Indian Health Service (IHS) and Substance Abuse and Mental Health Services Administration (SAMHSA).  (CMS and National Institutes of Health (NIH), which use other distinct Oracle Federal Financial instances for financial management that are not UFMS, are not considered HCAS clients and are outside the scope of this system.) CDC, while using UFMS, does not use the HCAS PRISM environment but uses their own procurement system Integrated Contracts Expert (ICE). HCAS PRISM was fully implemented across its HHS clients on February 8, 2009.

The enterprise PRISM configuration via HCAS allows HHS to standardize acquisition business processes across the department. A consolidated PRISM facilitates and enables a single solution for integrating acquisition with financial management (one interface between HCAS and UFMS) and other mixed financial management systems.

The HCAS system itself collects information necessary to support a procurement relationship between HHS and the vendor community. There are limited instances where an individual’s information in identifiable form (IIF) will be collected in order to facilitate a transaction in HCAS. HCAS collects and maintains IIF for service fellows and sole proprietorships that provide vendor services as individuals.

Acquisition processes supported by HCAS include acquisition planning, solicitation, contract creation and approval, contract award and award closeout. To support these business processes, IIF contained in HCAS may include the following: Vendor and contracting officer names, vendor mailing addresses, phone numbers, vendor financial account information, legal documents, Web URLs, e-mail addresses, vendor education records, and vendor tax ID numbers (TIN) or Social Security numbers. HCAS users will be able to retrieve data records by vendor or contracting officer name, among other identifiers. For example, names of contracting officer who act as buyers for HHS may be used to retrieve request for proposals or other HHS solicitation materials or purchase requests. Users may also use a contracting officer’s name to retrieve associated contact information such as business e-mail or phone number when creating a solicitation or contract. Similarly, users may retrieve solicitation and contract materials, such as proposals, progress reports, and contract modifications by vendor name.

Social Security numbers of vendors may be captured within HCAS under certain circumstances where a Tax Identification Number (TIN) is not available. The HCAS system will comply with all provisions of section 7 of the Privacy Act, including compliance with the following paragraph:

Any Federal, State or local government agency which requests an individual to disclose his Social Security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.

When vendor SSN information is collected by HCAS, it is required for vendors to obtain the benefit of contracting with HHS. Provision of this information by the vendor is elective and again, is only used when a vendor TIN is not available.

HCAS is integrated with UFMS and information is exchanged in both directions between the two systems. Information retrieved from HCAS may be shared/disclosed within and across the HHS contracting and financial management communities to: (1) Specify the Contracting Officer conducting an HHS solicitation or purchase request; (2) to specify vendor information in contract documentation, including award, modifications, and task progress reports; and (3) to validate and approve payments to HHS vendors.

Information on vendors pertaining to specific HHS contract transactions captured in HCAS is not shared or disclosed to agencies outside of HHS. Names of contracting officers who act as buyers for HHS are contained in solicitation materials that are released to the public for competitive procurements.

Routine uses of records maintained in the system, including categories of users and the purposes of such uses:

The Privacy Act allows information disclosure without an individual’s consent if the  information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a ‘‘routine use.’’ The proposed routine uses in this system meet the compatibility requirement of the Privacy Act. We are proposing to establish the following routine use disclosures of information maintained in the system:

(1) To agency contractors or consultants who have been engaged by the agency to assist in the accomplishment of the HCAS/FESM Operations and Maintenance function (O&M) relating to the purposes for this system and who need to have access to the records in order to assist the OGAPA and HCAS/FESM O&M Federal leadership.

(2) To the Department of Justice (DOJ), court or adjudicatory body when the agency or any component thereof, or any employee of the agency in his or her official capacity, or any employee of the agency in his or her individual capacity where the DOJ has agreed to represent the employee, or the United States Government is a party to litigation or has an interest in such litigation, and by careful review, the HHS OGAPA determines that the records are relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records.

Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system: 

Storage:  All records are stored on electronic media.

Retrievability:  Identifiers used to retrieve records may include names of contracting officers and vendors. Names of contracting officers who act as buyers for HHS may be used to retrieve RFPs, statements of work, purchase requests, contract awards or contract modifications. Vendor names may be used to retrieve proposals, contract awards, contract modifications, progress reports, financial status reports, invoices, and contract deliverables. In the limited instance that a vendor is a service fellow or a sole proprietorship that provides services to HHS as an individual, HCAS will allow users to use the individual’s name to retrieve vendor related procurement records.


Administrative controls:  The following Administrative Controls have been in place for HCAS:

Account management/user identification and authentication:

Users must have a UFMS account prior to creation of the PRISM account. User’s supervisor or another UFMS user submits a request for access on behalf of the prospective user through the User Provisioning Automated (UPA) process. The UPA process is the on-line UFMS user provisioning module. The UPA process is a workflow process that requires supervisor approval, responsibility approval, SOD approval, and security verification of background investigation. Reports can be generated detailing the approvals for user provisioning. Inactive accounts are locked after 60 days of inactivity. The use of temporary and emergency accounts is prohibited.

Authenticator management:

Users are required to change their password upon initial login. If users do not log in and change their passwords within 30 days of account generation, then the account is made inactive. Users are responsible for understanding and complying with all password use requirements including the need for adequate (difficult to decipher) passwords. Users are required to use passwords of a mix of eight (8) alpha, numeric and special characters, with at least one uppercase letter, one lower case letter, and one number. Users are automatically required to change their passwords every 90 days. Users are instructed to keep their passwords confidential and not share them with anyone. Upon notification that a password has been forgotten or compromised, the password is immediately reset to a unique (nondefault) password and the user is notified. Upon login, after a password reset, the user is required to change their password within 2 days to prevent the account from being deactivated.

Access enforcement:

User access to the application functions are granted through the UPA process based upon the role that has been assigned to the user and approved through the workflow. Privileges assigned to users of the system/application are granted based upon the role that has been assigned to the user. This includes administrative privileges that can be performed within the system.

Information flow enforcement - NIH/CIT security mechanisms:

Carbon Copy (CC): The UFMS application resides on hardware located within the National Institutes of Health, Center for Information Technology (NIH/CIT) general support system (GSS). The flow of information within the system and between interconnected systems is controlled by various NIH/CIT network firewalls, and authentication mechanisms HHS–Net Certification and Accreditation (C&A)— The flow of information within the system traverses the HHS–Net network which includes routers, switches, network firewalls, and authentication mechanisms.

Least privilege:

Privileges assigned to users of the system/application are granted based upon the role that has been assigned to the user.

Unsuccessful login attempts:

The system contains functionality that prevents user access when the maximum number of unsuccessful login attempts is exceeded. The HCAS system automatically locks an account until released by an administrator when three (3) unsuccessful login attempts occur.

Technical controls:

Access to the system is controlled by HCAS Systems Security Officer, which authenticates the user prior to granting access. Access level and permissions are controlled by the system and based on user, role, organizational unit, and status of the report. All servers have been configured to remove all unused applications and system files and all local account access except when necessary to manage the system and maintain integrity of data.

Physical controls:

The servers will reside in the NIH CIT Computer Room where policies and procedures are in place to restrict access to the machines. This system will conform to all applicable Federal laws and regulations and HHS/Office of the Secretary policies and standards as they relate to information security and data privacy. These laws and regulations may apply but are not limited to: The Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the E-Government Act of 2002; the Clinger-Cohen Act of 1996; and the corresponding implementing regulations. OMB Circular A–130, Management of Federal Resources,

Appendix III, Security of Federal Automated Information Resources also applies. Federal and HHS/Office of the Secretary policies and standards include but are not limited to: All pertinent National Institute of Standards and Technology publications and the HHS Information Systems Program Handbook.

Retention and disposal:

HCAS is governed by the HHS Records Management and Disposition guidelines for the retention and destruction of IIF. The guidelines reference the National Archive and Records Administration Act of 1984 (Pub. L. 98–497, 44 U.S.C. Chapter 21). The HCAS FESM/O&M will retain identifiable information maintained in the HCAS system of records in accordance with the National Archives and Records Administration General Records Schedules and Federal Acquisition Regulation (FAR 4.805).

System manager(s) and address:

Director, Information and Systems Management Services (ISMS), U.S. Department of Health and Human Services, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.

Notification procedure:

Inquiries should be made in writing to the System Owner, Deputy Assistant Secretary, Office of Grants and Acquisition Policy and Accountability, Assistant Secretary for Financial Resources, U.S. Department of Health and Human Services, 200 Independence Avenue, SW., Washington, DC 20201. The individual making the inquiry must show proof of identity before information is released and give name and social security number, purpose of inquiry, and if possible, the document number.

Record access procedures:

For purpose of access, use the same procedures outlined in Notification Procedures above. Requestors should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2)).

Contesting record procedures: 

The subject individual should contact the system owner named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulations 45 CFR 5b.7).

Record source categories:

Information in HCAS will be collected, in part, from the data transmitted from i-Procurement which includes: Requisition number; date of request; object class, appropriation code and Central Accounting Number (CAN) of the item requested; HHS requesting organization name; and location, HHS point of contact name and business contact phone number within the requesting organization; a description of the item requested and corresponding quantity and cost required. Other information collected includes; proposal, solicitation, market research, and contract award documentation.

Systems exempted from certain provisions of the act: 


Content created by Freedom of Information Act (FOIA) Division