Chapter 8 Federal Government Information Security and Privacy Regulations
1. Breach b) If an agency decides to notify individuals about a breach, they must consider:
1. OMB defines a breach as the "loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or similar occurrence" where unauthorized individuals access PII. - It can also include instances where an authorized individual accesses PII for a reason that is not authorized or allowed b) Source of the notification —The highest-ranking agency official should notify people who are affected by the breach. ii) Time for notification —Agencies must notify the people affected by the breach without delay. An agency may delay notice only for law enforcement or national security reasons. iii) Contents of the notice —The notice should include a description of the breach and the type of data disclosed. It should include information on how people can protect themselves from having their data used by unauthorized individuals. It also should describe what the agency is doing to mitigate the breach. iv) Means of providing the notice —The agency must consider how to give notice to the people affected by the breach. Telephone, first-class mail, email, website postings, and release to national media outlets may all be appropriate ways to provide notice. The agency must consider the best method for a given situation. Agencies also must think about how they will give notice to individuals who are visually or hearing impaired.
1. The Privacy Act of 1974 b) record c) An agency cannot disclose a person's records without his or her written consent. There are 12 exceptions to this general rule: d) System of records notice (SORN)
- Congress created the Privacy Act of 1974 to protect data collected by the government - applies to records created and used by federal agencies in the executive branch, it does not apply to state or local governments. -The Privacy Act applies only to data collected about U.S. citizens and permanent residents. -The Privacy Act requires them to implement administrative, technical, and physical safeguards to protect the records that they maintain. They must protect their records against any anticipated threats that could harm the people identified in the records. Under the act, harm includes embarrassment. b) is any information about a person that an agency maintains. It includes a person's educational, financial, medical, and criminal history information. - The act requires agencies to keep accurate and complete records. - It also states that an agency should store only the data that it needs to conduct business. -It should not store any extra or unnecessary data. c) ---Made to a federal agency employee who needs the record to perform his or her job duties ----Required under the Freedom of Information Act ---Made for an agency's routine use ---Made to the U.S. Census Bureau to perform a survey ---Made for statistical research or reporting, and all personally identifiable data has been removed ---To the National Archives and Records Administration because the record has historical value ---Made in response to a written request from a law enforcement or regulatory agency for civil or criminal law purposes ---Made to protect a person's health or safety ---Made to Congress ---Made to the U.S. Comptroller General in the course of the performance of the duties of the U.S. Government Accountability Office ---Made in response to a court order ---Made to a consumer reporting agency for certain permitted purposes d) A federal agency's notice about agency record-keeping systems that can retrieve records through the use of a personal identifier. The Privacy Act of 1974 requires federal agencies to provide these notices. - Every agency is required to post its SORNs on its webpage.
1. "a cyber Pearl Harbor" 2. cyberwar/information warfare
1. an attack that would cause physical destruction and the loss of life 2. conflict that takes place in or purposefully affects information systems. -refers to conflicts between nations and their militaries. - Cyberwar attacks are carried out at the direction of a particular nation ----Cyberwar could affect military information systems, nongovernment information systems, and private industry information systems. ---- It includes not only threats to national security, but also threats to industry, commerce, and intellectual property ----could even include larger threats to how governments function generally.
1. Government IT Systems: 2. Office of Personnel Management (OPM) 3. National Institutes of Health (NIH) 4. Computer Security Act (CSA) 1987 5. Federal Information Security Modernization Act (FISMA) 2002 6. Federal Information Security Modernization Act of 2014 (FISMA 2014) 7. National security systems (NSSs) 8. CyberScope
1. - hold data on people living in the United States, including employment, tax, and citizenship data. - They also hold data on businesses operating in the United States, as well as data that are used to protect the United States from threats. 4. first law to address federal computer security - every federal agency had to inventory its IT systems. - Agencies also had to create security plans for those systems and review their plans every year. 5. Created by Congress because of the September 11, 2001 6. main law addressing federal government computer security protection.6 FISMA 2014 largely superseded the 2002 act. 7. Information technology systems that hold military, defense, and intelligence information. 8. created by the DHS, allows a real-time data feed that helps agencies and the OMB quickly assess the agency's information security posture.
1. Inspector General (IG) b) The Inspector General Act of 1978 defined an IG's role.20 - An IG is responsible for:
1. A federal government official who independently evaluates the performance of federal agencies. Inspectors general are independent officials. bi) Conducting independent and objective audits, investigations, and inspections ii) Preventing and detecting waste, fraud, and abuse iii) Promoting economy, effectiveness, and efficiency iv) Reviewing pending legislation and regulations vi) Keeping the agency head and Congress informed about agency activities *****The president nominates IGs for major federal agencies, and the Senate approves them. Only the president can remove these IGs. The president nominates IGs in the Department of Commerce, Department of Justice, and OMB, as well as in some other agencies.*******
1. The Role of NIST (National Institute of Standards and Technology (NIST) b) standard c) guideline 2. NIST creates two different types of documents: a) Federal Information Processing Standards (FIPS) b) Special Publications (SPs) 3. FedRAMP (The Federal Risk and Authorization Management Program) 4. NIST uses a RMF (Risk Management Framework ) approach to FISMA compliance: 5. The NIST RMF outlines six steps to protect federal IT systems b) "FIPS 199, Standards for Security Categorization of Federal Information and Information Systems"
1. FISMA requires the Department of Commerce to create information security standards and guidelines. -The Commerce Department delegated this responsibility to NIST, an agency of the Department of Commerce. i) Create Standards that all federal agencies use to categorize their data and IT systems ii) Create Guidelines recommending the types of data and IT systems to be included in each category iii) Create Minimum information security controls for IT systems b) states mandatory actions that an organization must take to protect its IT systems c) states recommended actions that an organization should follow. 2a) - FIPS are standards -Federal agencies must follow FIPS -They must comply with new FIPS within 1 year of their publication date. -FIPS do not apply to NSSs.(National security systems) -NIST creates FIPS when there is a compelling reason to do so. -It creates a FIPS if there is no acceptable industry standard or solution for the underlying information security issue. -there are 11 FIPS for information security. -NIST uses procedures described in the Administrative Procedures Act (APA) to create FIPS - The APA states formal procedures for creating rules and regulations. This formal process ensures due process and makes sure that all interested agencies have a chance to comment on draft FIPS. -NIST publishes a proposed FIPS in the Federal Register, which is available for public review for 30 to 90 days. - The Department of Commerce must approve FIPS before they can be finalized -Agencies have no flexibility in implementing FIPS, as they are mandatory. b) SPs are guidelines - SPs are computer security guidelines that are more general than FIPS. - NIST creates SPs in collaboration with industry, government, and academic information security experts. NIST does not use the very formal FIPS drafting process to create these documents -Federal agencies have some flexibility in using the SPs for guidance - NIST uses a RMF approach to FISMA compliance. 3. is a government-wide program developed by NIST, the U.S. General Services Administration, DHS, and the Department of Defense. -NIST also advises the FedRAMP program on FISMA compliance. -Any cloud computing services that store federal data must be FedRAMP approved - FedRAMP outlines a standard approach to assess the security of cloud products and services. The FedRAMP security assessment framework is based on the NIST risk management framework (RMF). 4. This framework is outlined in "SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations." -This approach helps protect IT systems during their whole life cycle. - Federal agencies must use the RMF provided by NIST to assess the information security and privacy risks to their IT systems. 5i) Categorize IT systems. ii) Select minimum security controls. iii) Implement security controls in IT systems. iv) Assess security controls for effectiveness. v) Authorize the IT system for processing. vi) Continuously monitor security controls. b) helps them categorize their IT systems. - It serves as the starting point for an agency's information security program and helps them separate their IT systems into categories based on risk. -Agencies then apply security controls to their IT system based upon their category. -Under FIPS 199, agencies must first assess the impact on IT systems because of a loss of confidentiality, integrity, or availability -The security category expresses that impact. FIPS defines three security categories. They are: ----Low —The loss of confidentiality, integrity, or availability has a limited adverse effect on the agency, its information assets, or people. A low impact event results in minor damage to assets. ----Moderate —The loss of confidentiality, integrity, or availability has a serious adverse effect on the agency, its information assets, or people. A moderate impact event results in significant damage to assets. ----High —The loss of confidentiality, integrity, or availability has a severe or catastrophic adverse effect on the agency, its information assets, or people. A high impact event results in major damage to assets.
1. Two major laws protecting the privacy of data that the government uses in the course of business are:
a) The Privacy Act of 1974 b) The E-Government Act of 2002
1. Main Requirements of FISMA
a) agencies must submit monthly electronic data feeds to the DHS through a program known as CyberScope. - The purpose of these data feeds is to continuously monitor the security posture of the federal agency's information systems. b) Each agency must report yearly to the OMB on its FISMA compliance activities. An agency also must send a copy of its yearly report to the following: >>>House of Representatives Committee on Oversight and Government Reform >>>House of Representatives Committee on Homeland Security >>>House of Representatives Committee on Science and Technology >>>Senate Committee on Homeland Security and Governmental Affairs >>>Senate Committee on Commerce, Science, and Transportation >>>U.S. Government Accountability Office (GAO) The agency's congressional authorization and appropriations committee c) An agency's yearly report must review its information security program. Items reviewed must include: >>The adequacy of the program >>A description of each major information security incident experienced by the agency >>The total number of information security incidents experienced by the agency >>A description of any information security incident experienced by the agency that compromised personally identifiable information (PII). d) It also must assess the agency's progress on correcting any weaknesses in the program or security controls. -The agency must also respond to a set of questions about its security practices, which are asked in CyberScope. -Each year the DHS publishes the questions that will be asked in the following year. e) agencies must also report on their privacy activities. For example, they have to share information on their privacy training programs and their breach notification policy. -They also must give a progress report on their efforts to eliminate the unnecessary use of SSNs and other PII - The yearly report also must include the results of an independent evaluation of the agency's information security program. Some agencies have an inspector general (IG)
1. Federal Information Security Modernization Act of 2014 b) Purpose and Scope c) Six main provisions of FISMA: The law: d) Examples of federal agencies e) What federal agencies must do to comply with FISMA:
- sought to improve oversight of federal information security activities and provide a framework for making sure that information security controls are effective b) ----defines information security as protecting IT systems to provide confidentiality, integrity, and availability. ----IT systems must be protected from unauthorized use, access, disruption, modification, and destruction. ci)Sets forth agency information security responsibilities ii) Requires a yearly independent review of agency information security programs iii) Authorizes the National Institute of Standards and Technology (NIST) to develop information security standards for IT systems that do not contain unclassified information iv) Gives the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) specific oversight responsibilities v) Clarifies that national security systems (NSSs) must be secured using a risk-based approach vi) Provides for a central federal security incident response (IR) center d) Federal Aviation Administration, ii) Social Security Administration, iii) Department of Education. ei) Risk assessments —Agencies must perform risk assessments. They must measure the harm that could result from unauthorized access to or use of agency IT systems. Agencies must base their information security programs on the results of these risk assessments. ii) Policies and procedures —Agencies must create policies and procedures to reduce risk to an acceptable level. The policies must protect IT systems throughout their life cycle. Agencies also must create configuration management policies. ii) Subordinate plans —Agencies must make sure that they have plans for securing networks, facilities, and systems or groups of IT systems. These plans are for technologies or system components that are a part of the larger information security program. iii) Security awareness training —Agencies must give training to employees and any other users of their IT systems. This includes contractors. This training must make people aware of potential risks to the agency's IT systems. It also must make people aware of their duties to protect these systems. iv) Testing and evaluation —Agencies must test their security controls at least once a year. They must test management, operational, and technical controls for each IT system. v) Remedial actions —Agencies must have a plan to fix weaknesses in their information security program. vi) Incident response —Agencies must have an IR procedure. They must state how the agency detects and mitigates incidents. The procedure must include reporting incidents to the DHS United States Computer Emergency Readiness Team (US-CERT) as needed. vii) Continuity of operations —Agencies must have business continuity plans as part of their information security programs.
1. FISMA requires federal agencies to secure NSSs using a risk-based approach. An NSS includes systems that are for: 2. Classified information
-Intelligence activities -Command and control of military forces -Weapons or weapons-control equipment -Use cryptography to protect national security -Critical to military or intelligence missions -Must be kept classified for national defense or foreign policy 2. is protected by presidential executive order, is information that is labeled Confidential, Secret, or Top Secret. - Its label is based upon its national security importance. This data must be protected to meet national security goals.
1. Office of Personnel Management (OPM)
-Is the human resources department for the U.S. federal government - he OPM provides background check investigation services to other federal agencies.
1. The Committee on National Security Systems (CNSS) 2. The OMB (Office of Management and Budget) and the DHS (Department of Homeland Security)
1. oversees FISMA activities for NSSs -CNSS has 21 voting members. -They include: ---- officials from the National Security Administration (NSA), ------Central Intelligence Agency (CIA), and -----Department of Defense (DoD). -A DoD member leads the committee. -The CNSS also includes several subcommittees and panels. 2. share responsibility for FISMA compliance. - The OMB oversees FISMA-related budgetary issues. -It can also withhold funding from agencies that fail to follow FISMA. -In addition, the OMB must continue to issue a report to Congress each year on the government's FISMA compliance. -This report details how federal agencies are complying with FISMA. It also identifies problem areas. -The DHS has had the power to ensure that agencies are meeting their FISMA obligations - It can also create rules and other guidance that these agencies must follow. These rules are called binding operational directives -The DHS also keeps track of how all federal agencies are complying with FISMA and annually reviews their cybersecurity programs. DHS also has responsibilities for governmental IR activities.
1. After the agency determines the security category, it must decide which controls to use. NIST created two documents to help with this task: 2. These documents require agencies to specify controls in 17 areas. FIPS 200 lists these areas. They are: 3. Under FISMA, the government must have a federal IR center/US-CERT, which must: 4. National Cybersecurity and Communications Integration Center (NCCIC) 5. an incident is 6. An agency must share the following information about an incident when it makes a report:
1a) "FIPS 200, Minimum Security Requirements for Federal Information and Information Systems" b) "SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations." - The OMB requires that agencies use these documents to make their security control decisions. 2. --Access control --Awareness and training --Audit and accountability --Certification, accreditation, and security assessments --Configuration management --Contingency planning --Identification and authentication --Incident response --Maintenance --Media protection --Physical and environmental protection --Planning --Personnel security --Risk assessment --System and services acquisition --System and communications protection --System and information integrity 3. >>Give technical support to agencies about handling information security incidents. >>Compile and analyze data about information security incidents. >>Inform agencies about current and potential threats and vulnerabilities. >>Inform agencies about threats, vulnerabilities, and incidents to be considered as part of the agencies' risk assessment process. >>Consult with NIST and agencies with NSSs about information security incidents 4. Agencies must report all information security incidents to the NCCIC 5. an event that "actually or imminently jeopardizes the integrity, confidentiality, or availability of information or an information system" or "constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies 6. ---The impact the incident has had on the agency ---Whether any information has been lost, compromised, or corrupted ---The estimated amount of time and resources that are needed to recover from the incident --When the incident was first detected ---The number of systems, records, and users impacted ---The network location of the incident ---Contact information if the NCCIC/US-CERT needs more information
1. The FY2018 FISMA annual report noted that the U.S. federal government continues to have security deficiencies. The top deficiencies were:
1a) Lack of data protection b) Lack of network segmentation c) Inconsistent patch management practices d) Lack of strong authentication e) Lack of continuous monitoring, audit, and logging capacities.
1. Three different types of export control regulations that restrict the export of certain items overseas. a) International Traffic in Arms Regulations (ITAR) b) Export Administration Regulations (EAR) c) Regulations from the Office of Foreign Asset Control (OFAC)
1a) The U.S. Department of State issues the ITA - They apply to military or defense applications and technology that does not have civil (nonmilitary or defense) uses. -They are covered under export control laws because of national security concerns. -Any export of applications and technology covered by ITAR requires an export license, which is issued by the Department of State. -Items that are covered by ITAR are listed on the U.S. Munitions List -Among the categories are guns and armament, military electronics, spacecraft, and nuclear weapons. The penalties for violating ITAR are severe, as civil fines over $1 million are possible. He or she also can be sentenced to up to 20 years in jail. - companies that violate ITAR can be barred from selling products to the federal government b) The U.S. Department of Commerce handles the EAR - This responsibility is delegated to the Bureau of Industry and Security (BIS). The EAR applies to dual-use technologies, which have both military and commercial use. -Under the EAR, an exporter must have an export license for items and technologies that are on the Commerce Control List (CCL). In 2018, the BIS approved about 85 percent of these license applications.61 The CCL has 10 broad categories. They include electronics, computers, telecommunications, and information security technologies. Some items are listed on the CCL when they are removed from the U.S. Munitions List. - Violators can be fined either up to $300,000 or up to twice the value of the transaction. A person who willfully violates the EAR can be fined up to $1 million per offense. He or she also can be sentenced to up to 20 years in jail. -The Treasury Department also oversees some export laws c) is part of the Treasury Department, enforces trade sanctions and embargoes. **An embargo is a ban against trade with another country.** - The OFAC administers trade sanctions and embargoes as part of U.S. foreign policy goals. It has the power to forbid some types of transactions based upon these goals. -OFAC regulations may forbid people in the United States from engaging in any trade or financial transactions with other countries. People in the United States are prohibited from engaging in trade with certain people in other countries -Penalties for violating OFAC regulations are generally the same as for EAR violations.
2. The E-Government Act of 2002 -federal agencies must: b) Privacy impact assessment (PIA) c) The PIA must contain the following information:
i) Review their IT systems for privacy risks ii) Post privacy policies on their websites iii) Post machine-readable privacy policies on their websites iv) Report privacy activities to the OMB b) A review of how a federal agency's information technology systems process personal information. The E-Government Act of 2002 requires federal agencies to conduct these assessments. c) --What data the agency will collect ---Why the agency is collecting the data --How the agency will use the data --How the agency will share the data ---Whether people have the opportunity to consent to specific uses of the data ---How the agency will secure the data ---Whether the data collected will be a system of records defined by the Privacy Act ***An agency must submit its PIAs to the OMB. They also must make them available to the public. The only time an agency does not have to make a PIA available to the public is when doing so might compromise the security of an IT system.** ***The E-Government Act requires agencies to post privacy policies on their websites. The privacy policies must contain the same types of information that are in a PIA. They make the public aware of how the agency collects information. They also state how the agency uses that information.** ***Agencies must post a link to their privacy policies on their main website home page and write them in language that is easy to understand.** **The E-Government Act also requires agencies to adopt machine-readable privacy policies. These technologies alert users about the agency's website privacy practices. A machine-readable privacy policy lets users know if the agency's privacy practices match the user's browser privacy preferences. The machine-readable privacy policy standard is called P3P.***