...
National Marine Fisheries Service issues permits to fishing industry individuals and corporations and also to individual recreational fishers. More.... legislative or other policy mandates
Permits Types and Volumes
A wide range of permit types are issued. Some representative examples are: More.... Good place for transaction volumes
Business Drivers
Fisheries are managed regionally, but, many participants in the fishing industry are national or multinational in scope. It would be a convenience to these participants to offer a one-stop-shop for permits. Also, a one-stop-shop would facilitate maintenance of a single identifier for an industry participant who fishes or processes fish in multiple regions, and it would leverage efforts to improve data quality across regions. More.... The more could include what business benefit they derive from the permit and what business risk they incur if they break NMFS rules. Is this the spot for cycle times?
Business Risk in the Permit Context
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
...
Users and functionality Not sure about this label as it seem to be more about the registration process. I think I would describe users more generically above in the context section.What are there characteristics (i.e., businesses, individuals, etc). Level of automation in business and maybe even computer saavy. What's the extent to which there intermediaries between users and government.
...
Registration will be open to new permit applicants, existing permit holders, and agents of both. From the system perspective, there is little difference between permit holders and agents of permit holders. (Agents should file a notarized letter of authorization from each permit owner that the agent represents. The permit owner is responsible for transactions pertaining to their permit, and if they have delegated to an agent without submitting the authorization letter, that doesn't absolve them of any responsibility.) New permit applicants will not be identifiable with the same level of assurance as existing permit holders, but, as the permit application is processed, the confidence in the permit holder's identity will grow. And as a new permit applicant starts out with no value in the system, there is little at risk for these participants whose identity is less certain.
Existing permit holders may have considerable value in the system; for example, they may own fisheries quota that has significant market value. These existing permit holders must demonstrate knowledge of a secret permit access code (PAC) which was mailed by USPS mail to the permit owner's address of record. After a participant has registered and associated their permits with their username (through knowledge of one or more PACs), then the participant can access potentially sensitive permit information as well as renew or transfer permits. There are opportunities for mitigating controls in business processes, so the e-signature process does not necessarily have to address all of the transaction risk.
...
Transactions: data sensitivity and volume I would move the volume data up in biz context and leave this section to focus on FISMA and Privacy Act issues
...
In general these permit applications do not contain highly sensitive information. However, most have some personally identifying information (PII) and some few applications may contain proprietary business information.
...
Permit transfer volume nation-wide is estimated at __ transfers per year.
...
Internal control processes aka mitigating controls?
...
New permit applications generally involve processing rigor commiserate with the value of the permit. Permits for fisheries with low economic opportunity and/or low risk to the public resource generally receive only nominal scrutiny. Permits for fisheries with high economic opportunity and/or high risk to the public resource receive considerable scrutiny. In many cases this involves confirming vessel ownership with the US Coast Guard, verifying participation in prior fisheries through previously submitted state or federal fish tickets or logbooks, confirmation of business ownership, etc.
...