With recent reports of potential violations of sensitive personal information by federal agencies, the Office of Management and Budget (OMB) has tightened requirements for safeguarding information assets and for notification of security breaches.
Incidents Involving Personally Identifiable Information
The Federal Information Security Management Act (FISMA) requires all agencies to report security incidents involving personally identifiable information to the U.S. Computer Emergency Readiness Team (US-CERT), a federal incident response center located within the Department of Homeland Security. Personally identifiable information means any information about an individual maintained by an agency, including, but not limited to: education, financial transactions, medical history, and criminal or employment history, and information which can be used to distinguish or trace an individual's identity, such as name, Social Security Number, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.
Reporting Requirements
In a memo dated July 12, 2006, OMB provided updated guidance on the reporting of security incidents to now require agencies to report all incidents involving personally identifiable information to US-CERT within one hour of discovering the incident. The memo further stipulates that agencies should not distinguish between confirmed and suspected breaches, but to report all incidents, in both electronic and physical form. See the US-CERT Web site at http://www.us-cert.gov/federal/reportingRequirements.html for federal incident reporting guidelines. The Department of the Navy Chief Information Officer (DON CIO) is preparing to release additional guidance that will assist local commands with the specific processes for effectively handling privacy incidents.
Safeguarding Information
Earlier OMB guidance on agency compliance with FISMA called on all agencies to properly safeguard their information assets using a checklist developed by the National Institute for Standards and Technology (NIST). It calls for agencies to follow four steps: (1) Confirm identification of personally identifiable information protection needs; (2) Verify adequacy of organizational policy; (3) Implement protections for personally identifiable information being transported and/or stored off-site; and (4) Implement protections for remote access to personally identifiable information.
Taking these precautions should eliminate the need for reporting later.
The DON CIO is working to improve privacy protections for all DON information technology (IT) resources, collaborating with system owners throughout the Department to perform Privacy Impact Assessments (PIAs) on all relevant IT systems that handle personally identifiable information on DON military and civilian personnel. These PIAs, required by FISMA and DON CIO policy, provide a method for effectively measuring and analyzing the privacy protections in place throughout the Department. The DON CIO is also preparing to release revised policies regarding teleworking, remote access and data at rest that will include language outlining privacy protection requirements.
Contact DON CIO IA team member Darin Dropinski at darin.dropinski@navy.mil for more information.