Upload
dortha-gilmore
View
216
Download
0
Embed Size (px)
Citation preview
FISMA Privacy Reporting RequirementsUnited States Pacific Command (USPACOM)FOIA & Privacy Act Conference
Presented by
Samuel P. Jenkins, Director for Privacy,
Defense Privacy & Civil Liberties Office
January 2011
PACOM Conference 2
FISMA & Privacy Reporting Requirements
Agenda Federal Information Security Management Act (FISMA) –
Division of Responsibilities FISMA Purpose The Reporting Requirements as found in the OMB A-
130, Appendix I The eleven questions that report on annual Agency
Privacy Program Oversight FISMA Annual Report to Congress
PACOM Conference 3
Federal Information Security Management Act
(FISMA)
Division of Responsibilities
FISMA & Privacy Reporting Requirements
PACOM Conference 4
From Report GAO-07-837 INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses ,“ July 2007.
FISMA & Privacy Reporting Requirements
PACOM Conference 5
FISMA & Privacy Reporting Requirements
Federal Information Security Management Act
Purpose
PACOM Conference 6
Origin of FISMA
The E-Government Act (Public Law 107-347)
passed by the 107th Congress and signed into law
by the President in December 2002.
Recognized the importance of information security to the economic and national security interests of the United States.
FISMA & Privacy Reporting Requirements
PACOM Conference 7
Title III of the E-Government Act, entitled the Federal
Information Security Management Act of 2002 (FISMA) requires:
Each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security.
FISMA & Privacy Reporting Requirements
PACOM Conference 8
In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to:
Plan for security Ensure that appropriate officials are assigned security responsibility Periodically review the security controls in their information systems Authorize system processing prior to operations and, periodically, thereafter
FISMA & Privacy Reporting Requirements
PACOM Conference 9
In June 2005, OMB issued memo M-05-15, “FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management” which:
Initiated a number of questions regarding agency’s privacy program (Section D of the report) Senior Agency Official for Privacy.
These questions related, in part, to agency implementation of the privacy provisions of the E-Government Act of 2002.
FISMA & Privacy Reporting Requirements
PACOM Conference 10
In April 2010, OMB issued memo M-10-15 “FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management ” which formed a comprehensive context for security and privacy of Federal information across government to include:
The number of each type of privacy reviews conducted during the last fiscal year;Information about the advice-formal written policies, procedures, guidance, or interpretations of privacy requirements.
FISMA & Privacy Reporting Requirements
PACOM Conference 11
OMB memo M-10-15 “FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management” (Continued)
The number of written complaints for each type of privacy issue allegation received to include:
Process and procedural issues (consent, collection, and appropriate notice);
Redress issues (non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy matters); or
Operational issues (inquiries regarding Privacy Act matters not including Privacy Act requests for access and/or corrections);
For each type of privacy issue received for alleged privacy violations, the number of complaints the agency referred to another agency with jurisdiction.
FISMA & Privacy Reporting Requirements
PACOM Conference 12
OMB and Annual FISMA Reporting:
Senior Agency Official for Privacy (SAOP) Questions
FISMA & Privacy Reporting Requirements
PACOM Conference 13
Assignment of ResponsibilitiesOMB Circular No. A-130, “Management of Federal
Information Resources,” November 28, 2000, Appendix 1.3.a. states: All Federal Agencies. In addition…the head of each agency shall
ensure that the reviews are conducted as often as specified in the accompanying chart. (next slide)
Prepare to report to the Director, OMB, the results of such reviews and the corrective action taken to resolve problems uncovered.
FISMA & Privacy Reporting Requirements
PACOM Conference 14
OMB Circular No. A-130 Appendix 1. , Privacy Reviews
Requirement Periodicity
1. Matching Programs Review annually
2. Recordkeeping Practices Biennially
3. Privacy Act Training Biennially
4. Violations Biennially
5. Systems of Records Notices Biennially
6. Section (m) Contracts Every two years a random sample of agency contracts
7. Routine Use Disclosures Every four years
8. Exemption of Systems of Records Every four years
FISMA & Privacy Reporting Requirements
PACOM Conference 15
Question 1: Information Security Systems
Identify: the number of agency and contractors systems that contain Federal
information in identifiable form the number of agency and contractor systems for which a Privacy Impact
Assessment (PIA) is required under the E-Gov Act the number of agency and contractor systems covered by an existing PIA the number of systems for which a system of records notice (SORN) is
required under the Privacy Act the number of systems for which a current SORN has been published in the
Federal Register
FISMA & Privacy Reporting Requirements
PACOM Conference 16
Question 2: Links to PIAs and SORNS
Provide the URL of the centrally located page on the agency web site listing working links to agency PIAs.
Provide the URL of the centrally located page on the agency web site listing working links to the published SORNs.
FISMA & Privacy Reporting Requirements
PACOM Conference 17
Question 3: Senior Agency Official for Privacy (SAOP) Responsibilities
Yes or No—Can your agency demonstrate through documentation that the privacy official:
Participates in all agency information privacy compliance activities (i.e., privacy policy as well as IT information policy);
Participates in evaluating the privacy implications of legislative,
regulatory, and other policy proposals, as well as testimony and
comments under OMB Circular A-19; Participates in assessing the impact of the agency’s use of
technology on privacy and the protection of personal information?
FISMA & Privacy Reporting Requirements
PACOM Conference 18
Question 4: Information Privacy Training and Awareness
Does your agency have: A policy to ensure that all personnel (employees,
contractors, etc.) with access to Federal data are generally familiar with information privacy laws, regulations and policies, and understand the ramifications of inappropriate access and disclosure?
A program for job-specific and comprehensive information privacy training for all personnel (employees, contractors, etc.) directly involved in the administration of personal information or information technology systems, or with significant information security responsibilities?
FISMA & Privacy Reporting Requirements
PACOM Conference 19
Question 5: Does the agency have a written policy or process for each of the following?
PIA Practices: Determining whether a PIA is needed Conducting a PIA Evaluating changes in technology or business practices that are
identified during the PIA process Ensuring systems owners, privacy officials, and IT experts
participate in conducting the PIA Making PIAs available to the public as required by law and OMB
policy Monitoring the agency’s systems and practices to determine when
and how PIAs should be updated Assessing the quality and thoroughness of each PIA and performing
reviews to ensure that appropriate standards for PIA are maintained
FISMA & Privacy Reporting Requirements
PACOM Conference 20
Question 5: Does the agency have a written policy or process for each of the following web privacy practices?
Determining circumstances where the agency’s web-based activities warrant additional consideration of privacy implications
Making appropriate updates and ensuring continued compliance with stated web privacy policies
Requiring machine-readability of public-facing agency web sites (i.e. use of P3P)
FISMA & Privacy Reporting Requirements
PACOM Conference 21
Question 6: Reviews Mandated by Privacy Act of 1974, the E-Government Act of 2002, and the Federal Agency Data Mining Reporting Act of 2007.
Indicate which reviews were conducted in the last year for the following:
Requires a Check Mark Requires a Number
Section M Contracts Exemptions
Records Practices Matching Programs
Routine Uses System of Records
Training Privacy Act, (e)(3) Statements
Violations: Civil Action and Remedial Action
Privacy Impact Assessments and Updates
Data Mining Impact Assessment
FISMA & Privacy Reporting Requirements
PACOM Conference 22
Question 7: Written Privacy Complaints
Indicate the number of written complaints for each type of privacy issue received by the SAOP or others at the agency
Process and Procedural -- consent, collection, and appropriate notice Redress -- non-Privacy Act inquiries seeking resolution of difficulties or
concerns about privacy matters Operational -- inquiries regarding Privacy Act matters not including Privacy
Act requests for access and/or correction Referrals – complaints referred to another agency with jurisdiction
FISMA & Privacy Reporting Requirements
PACOM Conference 23
Question 8: Policy Compliance Review
Does the agency: have current documentation demonstrating review of compliance
with information privacy laws, regulations, and policies? Use technologies that enable continuous auditing of compliance
with stated privacy policies and practices? Coordinate with the agency's Inspector General on privacy
program oversight?
Can the agency provide documentation of planned, in progress, or completed corrective actions necessary to remedy deficiencies identified in compliance reviews?
FISMA & Privacy Reporting Requirements
PACOM Conference 24
Question 9: Information About Advice Provided by the SAOP (Yes or No)
Indicate if the SAOP has provided formal written advice or guidance in each of the listed categories, and briefly describe the advice or guidance if applicable. The categories are:
Agency policies, orders, directives, or guidance governing agency handling of personally identifiable information’
Written Agreements (either Interagency or with Non-Federal Entities) pertaining to information sharing, computer matching, and similar issues
The agency’s practices for conducting, preparing, and releasing SORNs and PIAs Reviews or feedback outside of the SORN and PIA process (e.g. formal written
advice in the context of budgetary or programmatic activities or planning) Privacy Training (either stand-alone or included with training on related issues)
Provide the number of employees (or contractors) who participated in the training.
FISMA & Privacy Reporting Requirements
PACOM Conference 25
Question 10: Agency Use of Persistent Tracking Technology
Indicate Yes or No for each item below: Does the agency use web management and customization technologies on
any web site or application? Does the agency annually review the use of web management and
customization technologies to ensure compliance with all laws, regulations, and OMB guidance?
Can the agency demonstrate, with documentation, the continued justification for, and approval to use, web management and customization technologies?
Can the agency provide the notice language or citation for the web privacy policy that informs visitors about the use of web management and customization technologies?
FISMA & Privacy Reporting Requirements
PACOM Conference 26
Question 11: Privacy Points of Contact Information
Please provide the names, phone numbers, and e-mail addresses of the following officials:
Agency Head Chief Privacy Officer
Chief Information Officer Privacy Advocate
Agency Inspector General Privacy Act Officer
Chief Information Security Officer Reviewing Official for PIAs
Senior Agency Official for Privacy POC for URL links provided in question #2
FISMA & Privacy Reporting Requirements
PACOM Conference 27
Federal Information Security Management Act (FISMA)
Privacy Reporting at the Agency Level
FISMA & Privacy Reporting Requirements
PACOM Conference 28
Conclusion: Our Agency Annual FISMA Reporting to OMB.
From Report GAO-07-837 INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses ,“ July 2007.
FISMA & Privacy Reporting Requirements
PACOM Conference 29
Resources OMB Memorandum M-10-15, of April 21, 2010 “FY 2010 Reporting
Instructions for the Federal Information Security Management Act and Agency Privacy Management.”
Office of Management and Budget Circular No. A-130, November 28, 2000 “Management of Federal Information Resources”
Federal Information Security Management Act of 2002 (Pub. L. 107-347).
OMB Memorandum M-07-16, of May 22, 2007 “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.”
FY 2008 Report to Congress on Implementation of The Federal Information Security Management Act of 2002.
GAO Report 07-837: INFORMATION SECURITY, Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses, July 2007.