Privacy Threshold Analysis (PTA)

2502-0505 - PTA (Signed by the Privacy Office).pdf

Comprehensive Needs Assessment (CNAs)

Privacy Threshold Analysis (PTA)

OMB: 2502-0505

Document [pdf]
Download: pdf | pdf
U.S. DEPARTMENT OF
HOUSING AND URBAN DEVELOPMENT

PRIVACY THRESHOLD ANALYSIS (PTA)
Capital Needs Assessment e-TOOL
(CNA e-Tool) P282

Multifamily Housing
Office of Program Systems Management

Instruction & Template

Reported August 2015
Converted to latest PTA 6/29/17

United States Department of Housing and Urban Development
August 3, 2017

PRIVACY THRESHOLD ANALYSIS (PTA)
The PTA is a compliance form developed by the Privacy Branch to identify the use of Personally
Identifiable Information (PII) across the Department. The PTA is the first step in the PII verification
process, which focuses on these areas of inquiry:
▪

Purpose for the information,

▪

Type of information,

▪

Sensitivity of the information,

▪

Use of the information,

▪

And the risk to the information.

Please use the attached form to determine whether a Privacy and Civil Liberties Impact Assessment
(PCLIA) is required under the E-Government Act of 2002 or a System of Record Notice (SORN) is
required under the Privacy Act of 1974, as amended.
Please complete this form and send it to your program Privacy Liaison Officer (PLO). If you have no
program Privacy Liaison Officer, please send the PTA to the HUD Privacy Branch:
Marcus Smallwood, Acting, Chief Privacy Officer
Privacy Branch
U.S. Department of Housing and Urban Development
privacy@hud.gov

Upon receipt from your program PLO, the HUD Privacy Branch will review this form. If a PCLIA or
SORN is required, the HUD Privacy Branch will send you a copy of the PCLIA and SORN templates to
complete and return.

United States Department of Housing and Urban Development
August 3, 2017

2

PRIVACY THRESHOLD ANALYSIS (PTA)
SUMMARY INFORMATION
Project or
Program Name:

Capital Needs Assessment (CNA) e-Tool

Program:

Office of Housing

CSAM Name (if
applicable):

N/A

CSAM Number
(if applicable):

N/A

Type of Project or
Program:

IT System

Project or
program
status:

Operational

Date first
developed:
Date of last PTA
update:

August 19, 2015

Pilot launch
date:

August 29, 2014

August 19, 2015

Pilot end date:

December 30, 2016

ATO Status (if
applicable)

Choose an item.

ATO
expiration date
(if applicable):

Click here to enter a date.

PROJECT OR PROGRAM MANAGER
Name:

Sean T Cortopassi

Office:

HSNG/PSMO

Title:

IT Project Manager

Phone:

202-402-4087

Email:

Sean.T.Cortopassi@hud.gov

INFORMATION SYSTEM SECURITY OFFICER (ISSO) (IF APPLICABLE)
Name:

Cassandra Ross

Phone:

202-402-7183

Email:

Cassandra.ross@hud.gov

United States Department of Housing and Urban Development
August 3, 2017

3

SPECIFIC PTA QUESTIONS
1. Reason for submitting the PTA: Choose an item.
Please provide a general description of the project and its purpose so a non-technical person could
understand. If this is an updated PTA, please describe what changes and/or upgrades triggering the
update to this PTA. If this is a renewal please state whether there were any changes to the project,
program, or system since the last version.

The Capital Needs Assessment (CNA) e-Tool is a tool that provides an automated, electronic,
CNA for a multifamily property with a schedule of recommended replacements and associated
costs for each year in an estimate period of 20 years. The CNA e Tool is a coordinated assembly
of several automated ‘tools’ and electronic templates developed by HUD-Multifamily Housing
and USDA Rural Development to establish an aligned data standard and analytical framework
for preparing capital needs assessments. A CNA is a due diligence report commonly used in the
multifamily industry to examine current physical conditions at properties, specify
repairs/replacements needed immediately and to budget for long-term capital repair and
replacement needs during the life of an asset. The FHA case number is related to project. The
FHA case number in CNA e-tool is used as a reference to the case number for the project that is
being assessed.
CNA e-tool users consist of:
• Agency Reviewers are employees or contractors of HUD or USDA, depending on the
specifics of the program, who review and approve the CNA after it is submitted. Agency
Reviewers primarily work within the Web Portal, but will need to be familiar with the
fields within the Assessment Tool as well.
• Needs Assessors are firms or persons employed for conducting the property assessment
and typically do not require Secure Systems access. They typically just access the Public
Validation Portal (Note that Needs Assessors in rare instances may access and submit
CNA’s. This is only done when HUD is serving as the lender and may be applicable to
Recapitalization Projects).
• Lenders are banks, credit unions or other financial institutions that may be providing
financing or servicing an existing loan for a multifamily property where a CNA is
required. Lenders are normally responsible for completing the Financial Factors and
Repair Replace Decision steps within the Assessment Tool. For HUD, Federal Housing
Administration (FHA) programs and USDA’s 538 Loan Guarantee program, Lenders are
responsible for submitting CNAs through the Submission Web Portal,
• Owners are the owners of the properties being evaluated (Note: The Owner’s Portal
functionality will be built if-and-when future Development Funding can be provided, but
that capability does not currently exist within the CNA e-Tool).
The CNA e-Tool application is hosted on the Secure Systems Platform. Obtaining access to any
secure system is a two-step process consisting of authentication and authorization for both
internal and external users. Authentication is the process of determining whether someone or
something is who or what they claim to be. At the end of authentication process, a user receives
an electronic user identification number and a password. Authorization is the process of
determining which permissions an authenticated user is supposed to have. At the end of the
United States Department of Housing and Urban Development
August 3, 2017

4

authorization process, a user will be able to use their user ID and password to access secure
systems.
The DIAMS process is separate system architecture from CNA e-tool and used for account
management. The DIAMS Application Access Request Form is a web-based form used to
submit and record requests for access to HUD systems. DIAMS requests are recorded in the
HUD IT Services National Help Desk and automatically routed to the designated System
Security Administrator (SSA) of the requested system. The SSA monitors and processes requests
using the HITS Service Desk system. Designated HUD Supervisor Approves Request using
DIAMS. System Security Administrator Approves Request once the signed ROB is received.
After the request is approved, the SSA will grant you access to the system and set the task status
to complete. The user and the DIAMS submitter will receive an email once this is done.
Internal HUD user access the CNA e-Tool with an H ID or C ID through the WASS internal
URL. (ttps://hudapps.hud.gov/ssmaster). In order to access the CNA e-Tool, a user must be
authenticated by HUD. The H ID & C ID and password are the authentication credentials for
HUD employees. Refer to the HUD Office of the Chief Human Capital Officer, Personnel
Security Division for information regarding the process for obtaining a HUD ID. Proof of
completion of annual security awareness training is required. All information system users must
complete Security Awareness Training before obtaining access to secure systems. Proof of
completion must be attached to your email request. This requirement can be fulfilled with a
certificate of completion of an agency-approved security awareness course, proof of agency
specific training, or proof of completion of the Defense Information Systems Agency Cyber
Awareness Challenge. A signed Rules of Behavior (ROB) for the CNA e-Tool. All information
system users must agree to ROB before obtaining access to secure systems. A signed ROB must
be attached to your email request. The CNA e-Tool ROB can be found on CNA e-Tool website
at the following URL: (http://hudatwork.hud.gov/HUD/chco/po/a/). In order to access the CNA
e-Tool, a user must obtain authorization. Authorization for federal employees or contractor
employees is requested through the Digital Identity and Access Management System (DIAMS)
Business Application Access Request process.
External Lender user access the CNA e-Tool with an M ID through FHA Connection
(https://entp.hud.gov/clas/index.cfm ). External Independent user access the CNA e-Tool with an
M ID through WASS (https://hudapps.hud.gov/HUD_Systems). In order to access the CNA eTool, a user must be authenticated by HUD. The M ID and password are the principal
authentication credentials for HUD external lender users. The I ID and password are the
principal authentication credentials for HUD external Independent users (Refer to the REAC
TAC website for information regarding the process for obtaining an Independent ID or access to
Secure Systems). In order to access the CNA e-Tool, a user must obtain authorization and have
an assigned role. Authorization for HUD external independent users is requested by an email
sent to the CNA e-Tool System Security Administrator (SSA). Authorization for HUD external
lender users must contact their company’s M ID Coordinator. Lender User Requests Access.
An email is sent to user’s M ID Coordinator requesting access to the CNA e-Tool. The email
must contain signed ROB and profile information (Last Name, First Name, Middle Initial and MID). The M ID Company Coordinator will either approve or deny user’s access request and send
an email. M ID Coordinator Grants Application Access. If the request is approved, the M ID
Coordinator will grant user access to the system and send an email. Independent User Requests
United States Department of Housing and Urban Development
August 3, 2017

5

Access. First the independent user registers with REAC TAC and gets an I ID issued. Then the
independent user sends an email to the SSA at CNAaccess@hud.gov requesting access and a role
to the CNA e-Tool. The email must contain justification for why access and role(s) are needed.
(Note: These requests will only be approved with extenuating circumstances.), proof of
completion the Defense Information Systems Agency (DISA) Cyber Awareness Challenge
Course and profile information. The SSA will either approve or deny independent user access
request and send a reply email. If the request is approved, the SSA will grant independent user’s
access to a CNA e-Tool role and will send a reply email.
The CNA database temporarily stores H-ID and C-ID for 30 days as part of validation progress.
M-ID and I-ID are temporarily stored for 30 days in the CNA database. Internal HUD H-ID and
C-ID users authenticate via Active Directory and have single sign on to Secure Systems. All
other External IDs authenticate using Lightweight Directory Access Protocol.
There are four (4) parts and instructions:
1.
Excel based Assessment Tool (excel template in workbook format)
2.
Public Validation engine, for Needs Assessors
3.
Secured Submission Portal, for lenders or submitters
4.
Secured Reviewer portal, for government staff
Information in the CNA eTool enables HUD/FHA and USDA-RD to (1) review the regulatory
compliance of projects/properties seeking or currently covered by Agency Insurance, (2) review
the financial needs of projects/properties seeking or currently covered by Agency Insurance, and
(3) Anticipate the future financial needs of projects/properties seeking or currently covered by
Agency Insurance.
Needs Assessor completes first thirteen (13) worksheets in the Assessment tool. Needs
Assessors identify immediate and future needs. The Needs Assessor is encouraged to validate
frequently to obtain results and make edits to the CNA. After the Assessment tool is completed,
and the Needs Assessor prepares additional attachments for the lender (i.e.: Pictures and
evidence of site survey’s and USGS Seismic Activity documents). The Needs Assessor should
also download the remaining flags, and prepares draft Flag Notes for the lender (there are three
types of flags: (1) informative, (2) warning, and (3) severe). The validation engine will not allow
a CNA to be validated with severe flags, and the Needs assessor should not send the partially
completed Assessor tool to the lender with sever flags. The final assessor step is submission to
the Lender.
Next the lender receives an e-mail with the Assessment tool and additional files from the Needs
Assessor. The Lender must login to Secure Systems Platform and accesses the CNA e-Tool
Application. The lender fills out the remaining two forms and validates the CNA in the Secured
Submission Portal. The lender checks for other serious warning flags that the Needs Assessor
should have cured; returns to Needs Assessor if warranted. Some severe and warning flags may
be for lenders tasks not yet done. The lender goes to locate CNA tab and opens the just validated
CNA, completes review, prepares CNA and all exhibits for submission. The CNA e-tool secured
validation engine does calculations using a standardized methodology. The lender submits CNA
simultaneous with filing applications and paying HUD-FHA application fee at pay.gov. After a
United States Department of Housing and Urban Development
August 3, 2017

6

successful submission, the lender can use “Locate CNA" tab in the Submission Portal to see
status and comments (but is unable to make edits while the CNA is under review). In the future
HUD action to change “status” will trigger automated e-mail notice (future functionality that will
be built in the near future).
After change in status, lender uses “Locate CNA” tab to see HUD reviewer comments. If
“returned” the lender revises CNA in the Assessment Tool and resubmits. If “approved”, lender
has a firm commitment pending. If error or omission at Submission, lender must call HUD to
have CNA returned. If amended Firm Commitment is requested for CNA changes, HUD will
“undo approval” and CNA will be returned to lender for revisions and resubmission consistent
with requested amendment to Firm.
All CNA data is entered in the Assessment tool. Only comments, notes and attachments are
added in Submission Portal. Government staff comments, and status changes are added in
Reviewer Portal. The CNA can be amended only by editing the original Assessment Tool file
and revalidating. The related CNA attachments to Firm Commitments are downloaded and
printed from the approved CNA in the Reviewer Portal.
Once CNA is submitted, it is stored for three years. Once the CNA is approved, data and
workbook is stored indefinitely in CNA database in the CNA e-Tool Data Warehouse Server.
This database generates (1) Oracle Business Intelligence Enterprise Edition (OBIEE) reports, (2)
Oracle ADF portfolio, and (3) Oracle published reports.
Data and reports generated from the CNA e-tool should be available for individual properties and
on a portfolio basis to Needs Assessors, Lenders, and Agency Staff as their interests may appear.
Portfolio data will permit aggregated reports for selected data items and indices by region, by
construction items or categories, by energy savings and related metrics. Such reports will be
useful for underwriting, asset management and policy analysis. Meanwhile, at HUD individual
property CNAs will be underwritten and revised by MAP Lenders, reviewed by MF Production,
MF OAMPO, and MF Recapitalization field staff depending on the type of deal that is
submitted. In the future, functionality will be built in to make updates after Endorsement by
Asset Management field staff as repairs and replacements are funded from disbursements from
the property Reserve for Replacements escrow. (This task is now manually executed with HUD
Form 9250, but will be automated in a future phase of development if funding can be secured).
Currently in underwriting, MAP Lenders and MF Production field staff rely on paper or pdf
CNAs prepared in a combination of word processing and spreadsheet software where CNA’s are
manually revised with final conclusions reduced to paper exhibits attached to a Firm
Commitment.). In the future, the CNA process will become “living” or a continuously updated
capability which will allow Asset Managers and owners to make adjustments for individual
properties after that functionality is built.
While the CNA e-Tool has defined a common protocol, and HUD will store data for all
properties in which it has a fiduciary or regulatory interest, it is intended that other agencies and
users may also store data for groups of properties in which they have a similar interest. So, for
example a state housing finance agency might store data for its portfolio of properties, or a
private portfolio owner or manager might store data for all the properties it owns or manages.
United States Department of Housing and Urban Development
August 3, 2017

7

The CNA e-Tool would generate a property-specific report that might reside in multiple
databases and in each case the database owner would determine who had rights to access and edit
data and reports after that future functionality is built. The CNA e-Tool itself has defined the
scope and content of a CNA, and a report for a particular property is available only to authorized
users, typically the Needs Assessor, the Lender, and/or an Agency providing governance,
financing, or assistance. Reports derived from aggregated data residing in a HUD database
would be available only to authorized users of the database.
Future functionality will produce:
• Level One reports entering the database either as part of iREMS or through a common
aggregator.
• Level Two reports would enter the database through the Application Underwriting
Support System (AUSS)/Development Application Processing (DAP) system or a
successor automated underwriting system, or again through a common aggregator that
would feed other HUD systems.
• Baseline project data from CNA submission to Level Two reports will be obtained when
a property enters the HUD portfolio would be used to populate future Level One reports
for the same property and may also be useful inputs to other HUD systems such as PASS.
• The CNA eTool will collect information on Multifamily properties and exchange data
with HUD’s DAP replacement system.
• The eTool will record the financial needs projections for Multifamily insured properties
based on findings collected from a Needs Assessor and validated by the Lender.

2. Does this system employ the following
technologies?
If you are using these technologies and want
coverage under the respective PIA for that
technology, please stop here and contact the HUD
Privacy Branch for further guidance.

Social Media
Web portal1 (e.g., SharePoint)
Contact Lists
Public website (e.g. A website operated by
HUD, contractor, or other organization on behalf of
the HUD
None of these

3. From whom does the Project or
Program collect, maintain, use, or
disseminate information?

This program collects no personally identifiable
information2

1

Informational and collaboration-based portals in operation at HUD and its programs that collect, use, maintain, and share limited
personally identifiable information (PII) about individuals who are “members” of the portal or “potential members” who seek to
gain access to the portal.
2
HUD defines personal information as “Personally Identifiable Information” or PII, which is any information that permits the
identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual,
regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to
the Department. “Sensitive PII” is PII, which if lost, compromised, or disclosed without authorization, could result in substantial
harm, embarrassment, inconvenience, or unfairness to an individual. For the purposes of this PTA, SPII and PII are treated the
same.

United States Department of Housing and Urban Development
August 3, 2017

8

Please check all that apply.

Members of the public
HUD employees/contractors (list programs):
Contractors working on behalf of HUD
Employees of other federal agencies
Other (e.g. business entity)

4. What specific information about individuals is collected, generated or retained?
Please provide a specific description of information collected, generated, or retained (such as full names,
maiden name, mother’s maiden name, alias, social security number, passport number, driver’s license
number, taxpayer identification number, patient identification number, financial account, credit card
number, street , internet protocol, media access control, telephone number, mobile number, business
number, photograph image, x-rays, fingerprints, biometric image, template date(e.g. retain scan, welldefined group of people),vehicle registration number, title number and information about an induvial that
is linked or linkable to one of the above (e.g. date of date, place of birth, race, religion, weight, activities,
geographical indictors, employment information, medial information, education information, financial
information) and etc.

•
•
•
•

Agency Reviewers: Temporary HUD employees H-ID and HUD Contractor C-ID, G-ID
Needs Assessors: I-ID
Lenders: M-ID, Mortgagor (Property) FHA Case Numbers
Participant Information: Firm Name, Role, Street Address, City, State, Zip Code,
Contact Name, Contact Phone, Contact Email, Participant ID

4(a) Does the project, program, or system
retrieve information from the system about
a U.S. Citizen or lawfully admitted
permanent resident aliens by a personal
identifier?

No. Please continue to next question.
Yes. If yes, please list all personal identifiers
used:

4(b) Does the project, program, or system
have an existing System of Records Notice
(SORN) that has already been published in
the Federal Register that covers the
information collected?

No. Please continue to next question.
Yes. If yes, provide the system name and
number, and the Federal Register
citation(s) for the most recent complete notice and
any subsequent notices
reflecting amendment to the system

4(c)Has the project, program, or system
undergone any significant changes since the
SORN?
4(d) Does the project, program, or system
use Social Security Numbers (SSN)?

No. Please continue to next question.
Yes. If yes, please describe.
No.
Yes.

United States Department of Housing and Urban Development
August 3, 2017

9

4(e) If yes, please provide the specific legal
authority and purpose for the collection of
SSNs:
4(f) If yes, please describe the uses of the
SSNs within the project, program, or
system:
4(g) If this project, program, or system is
an information technology/system, does it
relate solely to infrastructure?

Click here to enter text.

Click here to enter text.

No. Please continue to next question.
Yes. If a log kept of communication traffic,
please answer this question.

For example, is the system a Local Area Network
(LAN) or Wide Area Network (WAN)?
4(h) If header or payload data3 is stored in the communication traffic log, please detail the data
elements stored.
Click here to enter text.

No.
Yes. If yes, please list:

5. Does this project, program, or system
connect, receive, or share PII with any
other HUD programs or systems?

6. Does this project, program, or system
connect, receive, or share PII with any
external (non-HUD) partners or
systems?

3

•

Connects to Web Access Security
Subsystem (WASS) for HUD and HUD
contractor’s user authentication

•

Connects to FHA Connections for Lender,
Needs Assessor user authentication.
External Lender user access the CNA eTool with an M ID through FHA
Connection

No.
Yes. If yes, please list:
Click here to enter text.

Header: Information that is placed before the actual data. The header normally contains a small number of bytes of
control information, which is used to communicate important facts about the data that the message contains and how
it is to be interpreted and used. It serves as the communication and control link between protocol elements on different
devices.
Payload data: The actual data to be transmitted, often called the payload of the message (metaphorically borrowing a
term from the space industry!) Most messages contain some data of one form or another, but some actually contain
none: they are used only for control and communication purposes. For example, these may be used to set up or
terminate a logical connection before data is sent.
United States Department of Housing and Urban Development
August 3, 2017 10

Choose an item.
No.
6(a) Is this external sharing pursuant to
new or existing information sharing
access agreement (MOU, MOA, etc.)?

Yes.
Please describe applicable information sharing
governance in place: Information sharing access
agreement are covered in project charter and
change control board documentation.
No.

7. Does the project, program, or system
provide role-based training for
personnel who have access in addition
to annual privacy training required of
all HUD personnel?

8. Per NIST SP 800-53 Rev. 4, Appendix
J, does the project, program, or system
maintain an accounting of disclosures
of PII to individuals/agencies who have
requested access to their PII?
9. Is there a FIPS 199 determination?4

Yes. If yes, please list:
•

System Security Administrator Training

•

System Owner Training

•

Assessor Tool Training

•

Submitter Training

No. What steps will be taken to develop and
maintain the accounting: None, the project does not
appear to trigger SORN requirements.
Yes. In what format is the accounting
maintained:
Unknown.
No.
Yes. Please indicate the determinations for each
of the following:
Confidentiality:
Low
Moderate

High

Integrity:
Low

Moderate

High

Availability:
Low
Moderate

High

4

FIPS 199 is the Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal
Information and Information Systems and is used to establish security categories of information systems.

United States Department of Housing and Urban Development
August 3, 2017

11

PRIVACY THRESHOLD ANALYSIS REVIEW
(TO BE COMPLETED BY PROGRAM PLO)
Program Privacy Liaison Reviewer:

Nadine Smith

Date submitted to Program Privacy
Office:

July 24, 2017

Date submitted to HUD Privacy Branch:

August 3, 2017

Program Privacy Liaison Officer Recommendation:
Please include recommendation below, including what new privacy compliance documentation is needed.
Click here to enter text.

(TO BE COMPLETED BY THE HUD PRIVACY BRANCH)
HUD Privacy Branch Reviewer:

Marcus Smallwood

Date approved by HUD Privacy Branch:

August 3, 2017

PTA Expiration Date:

August 3, 2019
DESIGNATION

Privacy Sensitive System:
Category of System:
Determination:

Choose an item.

If “no” PTA adjudication is complete.

Choose an item.
If “other” is selected, please describe: Click here to enter text.
PTA sufficient at this time.
Privacy compliance documentation determination in progress.
New information sharing arrangement is required.
HUD Policy for Computer-Readable Extracts Containing Sensitive PII
applies.
Privacy Act Statement required.
Privacy and Civil Liberties Impact Assessment (PCLIA) required.
System of Records Notice (SORN) required.
Paperwork Reduction Act (PRA) Clearance may be required. Contact
your program PRA Officer.
United States Department of Housing and Urban Development
August 3, 2017

12

A Records Schedule may be required. Contact your program Records
Officer.
PIA:
SORN:

Choose an item.
If covered by existing PCLIA, please list:
Choose an item.

If covered by existing SORN, please list: Click here to enter text.
HUD Privacy Branch Comments:
Please describe rationale for privacy compliance determination above.
Click here to enter text.

United States Department of Housing and Urban Development
August 3, 2017

13

DOCUMENT ENDORSMENT

DATE REVIEWED: 8/3/2017
PRIVACY REVIEWING OFFICIALS NAME: Marcus Smallwood

By signing below, you attest that the content captured in this document is accurate and complete
and meet the requirements of applicable federal regulations and HUD internal policies.

Winfred Chan

Digitally signed by: Winfred Chan
DN: CN = Winfred Chan email = winfred.g.chan@hud.gov
C = US O = HUD OU = MF Housing
Date: 2017.08.03 11:04:46 -05'00'

Date
SYSTEM OWNER
Winfred Chan, Deputy Director
Office of the Deputy Assistant Secretary for Multifamily
Housing
Program Systems Management Office

MARCUS
SMALLWOOD

Digitally signed by: MARCUS SMALLWOOD
DN: CN = MARCUS SMALLWOOD C = US O
= U.S. Government OU = Department of
Housing and Urban Development, Office of
Administration
Date: 2017.08.03 09:24:50 -05'00'

8-03-17

Date
CHIEF PRIVACY OFFICER
Marcus Smallwood, Chief Privacy Officer (acting)
OFFICE OF ADMINISTRATION

United States Department of Housing and Urban Development
August 3, 2017

14


File Typeapplication/pdf
Authorangela.n.brooks@hud.gov
File Modified2017-08-03
File Created2017-08-03

© 2024 OMB.report | Privacy Policy