PCLIA #5547 Report

Date of Approval: December 18, 2020

PIA ID Number: 5547

SYSTEM DESCRIPTION

Enter the full name and acronym for the system, project, application and/or database.

Contract Writing System Bot, CWSB

Is this a new system?

Yes

What governance board or Executive Steering Committee (ESC) does this system report to? Full

name and acronym.

Office of Procurement, headed by the Chief Procurement Officer governs the operation of

the system. The Director, Data Analytics and Technology operates the Contracting Writing

System Bot in collaboration with the Director, Office of Procurement Support Services.

Current ELC (Enterprise Life Cycle) Milestones:

Vision & Strategy/Milestone 0

Project Initiation/Milestone 1

Is this a Federal Information Security Management Act (FISMA) reportable system?

GENERAL BUSINESS PURPOSE

What is the general business purpose of this system? Provide a clear, concise description of the

system, application or database, the reason for the system, and the benefits to the IRS to use the

information, and how the information will be used.

The Contract Writing System Bot is a collection of automations for repetitive, rules-based

procurement tasks. Robotic process automation (RPA) and intelligent automation (IA)

operates at the user interface level on top of an existing contract writing system (e.g.

Procurement for the Public Sector (PPS / IFS). The bot will enter data and draft documents

for approval by IRS employees. Automations support pre-award and post award contracting

activities such as drafting solicitations, purchase orders, and modifications to exercise

options, add incremental funding, and insert clauses.

PII DETAILS

Does the system use, collect, receive, display, store, maintain, or disseminate IR Code 6103

taxpayer information; or any other type of Sensitive but Unclassified (SBU) information or PII

such as information about IRS employees or outside stakeholders?

Yes

Does the system use, collect, receive, display, store, maintain, or disseminate Social Security

Numbers (SSN's) or tax identification numbers (i.e. last 4 digits, etc.)?

Yes

What types of tax identification numbers (TIN) apply to this system?

Employer Identification Number

Does this system use, collect, receive, display, store, maintain or disseminate other (non-SSN)

PII (i.e. names, addresses, etc.)?

Yes

Specify the PII Elements:

Name

Mailing address

Phone Numbers

E-mail Address

Standard Employee Identifier (SEID)

Tax Account Information

Does this system use, collect, receive, display, store, maintain, or disseminate SBU information

that is not PII?

Yes

Specify the types of SBU from the SBU Types List:

Procurement sensitive data Contract proposals, bids, etc.

Are there other types of SBU/PII used in the system?

Cite the authority for collecting SBU/PII (including SSN if relevant).

PII for federal tax administration is generally Internal Revenue Code Sections 6001, 6011, &

6012e(a)

Has the authority been verified with the system owner?

Yes

BUSINESS NEEDS AND ACCURACY

Explain the detailed business needs and uses for the SBU/ PII, and how the SBU / PII is limited

only to that which is relevant and necessary to meet the mission requirements of the system. If

SSNs (or tax identification numbers) are used, explicitly explain why use of SSNs meets this

criteria. Be specific.

SBU/PII information used is expressly required by law and regulation. The Federal

Acquisition Regulations (48 CFR) require government contracts to contain data elements

with the following. Subpart 3.104-4 Disclosure, protection, and marking of contractor bid or

proposal information and source selection information. Subpart 4.9 - Taxpayer Identification

Number Information Subpart 4.13 - Personal Identity Verification Subpart 52.209-11

Representation by Corporations Regarding Delinquent Tax Liability or a Felony Conviction

under any Federal Law.

How is the SBU/PII verified for accuracy, timeliness and completion?

The Bot will use high quality data maintained via a rigorous program that promotes data

accuracy, timeliness, completeness, and compliance with the Data Act. - Contracting

Officers receive training on data definitions and reporting requirements. - Certain validation

checks are built-in to catch obvious, patently apparent errors. - Bots are used to assess data

for errors and inconsistencies. Users are alerted and asked to correct erroneous data. - Vendor

data is recertified in SAM.gov annually by IRS contractors. - Audits are done regularly to

assess accuracy, timeliness, and completeness.

PRIVACY ACT AND SYSTEM OF RECORDS

The Privacy Act requires Federal agencies that maintain a system of records to publish systems

of records notices (SORNs) in the Federal Register for records from which information is

retrieved by any personal identifier for an individual who is a US citizen or an alien lawfully

admitted for permanent residence. The Privacy Act also provides for criminal penalties for

intentional noncompliance.

Does your application or this PCLIA system pertain to a group of any record from which

information is retrieved by any personal identifier for an individual who is a US citizen, or an

alien lawfully admitted for permanent residence? An identifier may be a symbol, voiceprint,

SEID, or other personal identifier that is used to retrieve information.

Yes

Identify the Privacy Act SORN(s) that cover these records.

Treasury .009 Treasury Financial Management Systems

RESPONSIBLE PARTIES

Identify the individuals for the following system roles:

## Official Use Only

INCOMING PII INTERFACES

Does the system receive SBU/PII from other systems or agencies?

Yes

Does the system receive SBU/PII from IRS files and databases?

Yes

Enter the files and databases:

System Name: Integrated Financial System

Current PCLIA: Yes

Approval Date: 5/14/2020

SA&A: Yes

ATO/IATO Date: 4/9/2020

Does the system receive SBU/PII from other federal agency or agencies?

Yes

For each federal interface, identify the organization that sends the SBU/PII, how the SBU/PII is

transmitted and if there is an Inter-Agency Agreement (ISA) /Memorandum of Understanding

(MOU).

Name: General Services Administration’s Federal Procurement Data System

Transmission Method: Download from SAM.gov or FPDS.gov

ISA/MOU: No

Does the system receive SBU/PII from State or local agency (-ies)?

Does the system receive SBU/PII from other sources?

Does the system receive SBU/PII from Taxpayer forms?

Does the system receive SBU/PII from Employee forms (e.g. the I-9)?

DISSEMINATION OF PII

Does this system disseminate SBU/PII?

PRIVACY SENSITIVE TECHNOLOGY

Does this system use social media channels?

Does this system use privacy-sensitive technologies such as mobile, global position system

(GPS), biometrics, RFID, etc.?

Yes

Briefly explain how the system uses the referenced technology.

The intended Contract Writing System Bot is a collection of automations for repetitive, rules-

based procurement tasks that mimics human behavior. Robotic process automation (RPA)

and intelligent automation (IA) operates at the user interface level on top of an existing

contract writing system (e.g. Procurement for the Public Sector (PPS / IFS). The bot will

enter data and draft documents for approval by IRS employees. Automations support pre-

award and post award contracting activities such as drafting solicitations, purchase orders,

and modifications to exercise options, add incremental funding, and insert clauses. It will

have access to certain SBU/PII data that's inherent in the contract writing system.

Does the system use cloud computing?

Does this system/application interact with the public?

INDIVIDUAL NOTICE AND CONSENT

Was/is notice provided to the individual prior to collection of information?

Yes

How is notice provided? Was the individual notified about the authority to collect the

information, whether disclosure is mandatory or voluntary, the purpose for which the

information will be used, with whom the information may be shared, and the effects on the

individual, if any, if they decide not to provide all or any of the requested information?

Contractors are notified of information collection requirements thru the Federal Acquisition

Regulations and Paperwork Reduction Act / Federal Register notices.

Do individuals have the opportunity to decline from providing information and/or from

consenting to particular uses of the information?

Yes

Describe the mechanism by which individuals indicate their consent choice(s):

Contractors and prospective contractors are notified that providing information is voluntary

but required if they wish to obtain a contract with the IRS.

How does the system or business process ensure 'due process' regarding information access,

correction and redress?

Prospective contractors are provided with stated evaluation criteria the IRS will use in

deciding which companies would receive a contract. Vendors can receive a debriefing or

explanation of the government's source selection decision. Successful contractors are given

an opportunity to review contract and contract modification documents and can choose

whether or not to agree (mutual agreement is a cornerstone of contracting). Contractors /

vendors that disagree with an IRS action can seek redress through an appropriate method

including data correction, bid protest, or claim under the Contract Disputes Act.

INFORMATION PROTECTION

Identify the owner and operator of the system (could be IRS owned and Operated; IRS owned,

contractor operated; contractor owned and operated).

IRS Owned and Contractor Operated

The following people have access to the system with the specified rights:

IRS Employees

Users: Read Only

Managers: Read Only

System Administrators: Administrator

Developers: Read Write

IRS Contractor Employees

Contractor Users: Read Only

Contractor Managers: Read Only

Contractor System Administrators: Administrator

Contractor Developers: Read Write

How is access to SBU/PII determined and by whom?

The IRS project manager and Contracting Officer's Representative ensures that employees

and contractors had background investigations favorably adjudicated and have job duties that

require access.

RECORDS RETENTION SCHEDULE

Are these records covered under a General Records Schedule (GRS, IRS Document 12829), or

has the National Archives and Records Administration (NARA) approved a Records Control

Schedule (RCS, IRS Document 12990) for the retention and destruction of official agency

records stored in this system?

Yes

How long are the records required to be held under the corresponding GRS or RCS, and how

are they disposed of? In your response, please provide the GRS or RCS chapter number, the

specific item number, and records series title.

Procurement records fall under General Records Schedule 1.1. Financial Management and

Reporting Records, Item, 011. The purpose of CWSB is to draft document and enter data into

the system of record. Procurement records are retained, in the Procurement for the Public

Sector system. managed by the IRS Office of Procurement.

SA&A OR ASCA

Has the system been through SA&A (Security Assessment and Authorization) or ASCA (Annual

Security Control Assessment)?

In-process

When is the anticipated date of the SA&A or ACS completion?

12/31/2020

Describe the system's audit trail.

CWSB will comply with Enterprise Security Audit Trail (ESAT) requirements. Audit logs

will be generated in Extensible Markup Language (XML) format.

PRIVACY TESTING

Does the system require a System Test Plan?

Yes

Is the test plan completed?

When is the test plan scheduled for completion?

12/31/2020

Describe what testing and validation activities have been conducted or are in progress to verify

and validate that the applicable Privacy Requirements (listed in header) have been met?

A System Test Plan and other Enterprise Lifecyle (ELC) artifacts and are currently being

worked with IT.

SBU DATA USE

Does this system use, or plan to use SBU Data in Testing?

NUMBER AND CATEGORY OF PII RECORDS

Identify the number of individual records in the system for each category:

IRS Employees: Under 50,000

Contractors: More than 10,000

Members of the Public: Under 100,000

Other: No

CIVIL LIBERTIES

Does the system maintain any information describing how any individual exercises their rights

guaranteed by the First Amendment?

Is the system information used to conduct 'data-mining' as defined in the Implementing

Recommendations of the 9/11 Commission Act of 2007, Public Law 110-53, Section 804?

Will this system have the capability to identify, locate, and monitor individuals or groups of

people?

Does computer matching occur?

ACCOUNTING OF DISCLOSURES

Does the system include or require disclosure of tax or employee information to anyone other

than IRS employees in the performance of their duties, or to the person to whom the information

pertains or to a 3rd party pursuant to a Power of Attorney, tax or Privacy Act consent?