1.6.4 Agency IT Authorities – OMB Guidance

Privacy Risk
Once the agency determines that an information system contains Personal Identifiable Information (PII), the agency must then consider the privacy risks and the associated risk to agency operations, agency assets, individuals, other organizations, and the Nation. When considering privacy risks, the agency must consider the risks to an individual or individuals associated with the agency’s creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of their PII. (OMB M-16-17. OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. 7/15/2016. Page 44.)

Privacy Impact Assessments (PIA)
As a general matter, an agency must conduct a privacy impact assessment (PIA) under section 208(b) of the E-Government Act of 2002, absent an applicable exception under that section, when the agency develops, procures, or uses information technology to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII. Moreover, a PIA is not a time- restricted activity that is limited to a particular milestone or stage of the information system or PII life cycles. Rather, the privacy analysis must continue throughout the information system and PII life cycles. (Ibid.)

Risk Management Framework
Agencies’ privacy programs have responsibilities under the Risk Management Framework. The Risk Management Framework provides a disciplined and structured process that integrates information security, privacy, and risk management activities into the information system development life cycle. Agencies should refer to OMB Circular No. A-130 for more detailed guidance regarding the role of agencies’ privacy programs under the Risk Management Framework (OMB M-16-17. OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. 7/15/2016. Page 46). The CIO Council and the Cyber-ERM Community of Interest updated the Federal ERM Playbook and added a chapter on Cyber-ERM Integration. The chapter provides foundations of Information Security and Cybersecurity that identifies integration points with physical security, addresses privacy, cyber supply-chain risk, incorporates NIST standards, addresses FISMA audits and “enterprise” scope, and other information related to terms, roles, responsibilities and communication flow.

[Privacy Budget Estimates]
[Agency budget estimates] should reflect the Administration’s commitment to privacy and consistent with OMB Circular A-130, should include a description of [the] agency’s privacy program and the resources required to ensure compliance with applicable privacy requirements, develop and evaluate privacy policy, and manage privacy risks. At a minimum, [the] estimate should:

• Demonstrate [awareness] of applicable privacy requirements and has fully assessed he cost to the agency for ensuring compliance with those requirements and managing privacy risks;
• [Reflect the inventory] of information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of personally identifiable information; and
• [Reflect the consideration of privacy] continuous monitoring strategy and the resources and associated costs required to ensure that privacy controls are effectively monitored on an ongoing basis at an assessment frequency sufficient to ensure compliance with applicable privacy requirements and to manage privacy risks. (OMB Circular A-11. Preparation, Submission, and Execution of the Budget. Section 31.8. 2020.)

Designation of the [SAOP]
The head of the agency is ultimately responsible for ensuring that privacy interests are protected and that PII is managed responsibly within the agency.

To ensure that agencies effectively carry out the privacy-related functions described in law and OMB policies, Executive Order 13719 requires the head of each agency to designate or re- designate an SAOP who has agency-wide responsibility and accountability for the agency’s privacy program. (OMB M-16-24. Role and Designation of Senior Agency Officials for Privacy. 9/15/2016.)

[SAOP Reporting Requirements]
Given the importance of privacy, as highlighted in policies such as OMB Circular A-130, Managing Information as a Strategic Resource, and OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, agencies must take appropriate measures to comply with privacy requirements and manage privacy risks.

• SAOPs are required to report annually and must submit each of the following items as separate documents through CyberScope: (OMB M-20-04. Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements. 11/19/2019.)
  • The agency’s privacy program plan;
  • A description of any changes made to the agency’s privacy program during the reporting period, including changes in leadership, staffing, structure, and organization;
  • The agency’s breach response plan;
  • The agency’s privacy continuous monitoring strategy;
  • The Uniform Resource Locator (URL) for the agency’s privacy program page, as well as the URL for any other sub-agency, component, and/or program-specific privacy program pages; and,
  • The agency’s written policy to ensure that any new collection or use of Social Security numbers (SSNs) is necessary, along with a description of any steps the agency took during the reporting period to explore alternatives to the use of SSNs as a personal identifier.

The Agency HVA Process
Agencies must take a strategic enterprise-wide view of risk that accounts for all critical business and mission functions when identifying HVAs (OMB M-17-09. Management of Federal High Value Assets. 12/9/2016). HVAs are those assets, Federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification or destruction could cause significant impact to the United States’ nations security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people. Agencies [must establish] appropriate governance of HVA activities across the enterprise and should integrate HVA remediation activities into agency planning, programming, budgeting, and execution processes. These efforts must align with OMB policy, Federal law and regulations, Federal standards and guidelines, and agency policies, processes, and procedures. (Ibid.) For complete details on the agency HVA process see the memo.

Information Security and Privacy Program Oversight and FISMA Reporting Requirements
[OMB and DHS use] CIO and IG metrics to compile the Annual FISMA Report to Congress and may use this reporting to compile agency-specific or government-wide risk management assessments as part of an ongoing effort in support of Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

At a minimum, CFO Act agencies must update their CIO Metrics quarterly and non-CFO Act agencies must update their CIO metrics on a semiannual basis. Reflecting the Administration’s shift from compliance to risk management, as well as the guidance and requirements outlined in OMB Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program, and Binding Operational Directive 18-02, Securing High Value Assets, CIO Metrics are not limited to assessments and capabilities within [NIST] security baselines, and agency responses should reflect actual implementation levels. Although FISMA requires an annual IG assessment, OMB strongly encourages CIOs and IGs to discuss the status of information security programs throughout the year.

Cybersecurity Reporting: Overview and Purpose
On May 11, 2017, the President signed the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which outlines a number of actions to enhance cybersecurity across Federal agencies and critical infrastructure partners. Section 1 of the Executive Order reinforces the Federal Information Security Modernization Act of 2014 (FISMA) by holding agency heads accountable for managing the cybersecurity risks to their enterprises. This Memorandum provides implementing guidance on actions required in Section 1 of the Executive Order. (OMB M-17-25. Reporting Guidance for Reporting Progress on Executive Order on Strengthening the Cybersecurity of Federal Network and Critical Infrastructure. 5/19/2017.)

Policy to Require Secure Connections across Federal Websites and Web Services
OMB Memorandum M-15-13 requires that all publicly accessible Federal websites and web service only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS).

[To] promote the efficient and effective deployment of HTTPS, the timeframe for [compliance is outlined below]. This Memorandum requires that Federal agencies deploy HTTPS on their domains using the following guidelines. (OMB M-15-13. Policy to Require Secure Connections across Federal Websites and Web Services. 6/8/2015.)

• Newly developed websites and services at all Federal agency domains or subdomains must adhere to this policy upon launch.
• For existing websites and services, agencies should prioritize deployment using a risk- based analysis. Web services that involve an exchange of personally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level of traffic should receive priority and migrate as soon as possible.
• Agencies [should have made] all existing websites and services accessible through a secure connection (HTTPS-only, with HTTP Strict Transport Security (HSTS)) by December 31, 2016.
• The use of HTTPS is encouraged on intranets, but not explicitly required.

FISMA Reporting and Agency Privacy Management
OMB requires that the head of each agency submit, as part of the agency’s annual report, a signed electronic copy of an official letter to CyberScope providing a comprehensive overview reflecting his or her assessment of the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements of the Federal Information Security Modernization Act (FISMA) for the agency. (OMB M-14-04. Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. 11/18/2013.)

Below are activities explicitly outlined in FISMA:

CIO/CISO Interviews
DHS will [conduct] annual interviews with agencies’ CIO and [CISO] based on their agency’s security posture. Each interview session has three distinct goals:

• Assessing progress towards the administration cybersecurity priorities and other FISMA compliance and challenges;
• Identifying security best practices and raising awareness of FISMA reporting requirements; and
• Establishing meaningful dialogue with the agency’s senior leadership.

Submit Privacy Documents
As part of the annual report, Senior Agency Officials for Privacy are to submit the following documents through CyberScope:

• Description of the agency’s privacy training for employees and contractors;
• Breach notification policy;
• Progress update on eliminating unnecessary use of Social Security Numbers; and
• Progress update on the review and reduction of holdings of personally identifiable information. (Ibid.)

OMB [requires] agencies to submit these four privacy documents whether or not the documents have changed from versions submitted in previous years.

Information Security Continuous Monitoring (ISCM)
To fully implement ISCM across the Government, agencies shall: 1) Develop and maintain, consistent with existing statutes, OMB policy, NIST guidelines and the CONOPS, an ISCM strategy, and establish an ISCM program that: a. Provides a clear understanding of organizational risk and helps officials set priorities and manage such risk consistently throughout the agency; and b. Addresses how the agency [conducts] ongoing authorizations of information systems and the environments in which those systems operate, including the agency’s use of common controls. (OMB M-14-03. Enhancing the Security of Federal Information and Information Systems. 11/18/2013.)

Federal Information Security Management Act (FISMA) Agency Reporting Activities
To comply with this guidance, [agencies carry out] the following activities:

1. Establish monthly data feeds to CyberScope;
2. Respond to security posture questions; and
3. Participate in CyberStat accountability sessions and agency interviews.

CyberScope is the platform for the FISMA reporting process. Agencies should note that a Personal Identity Verification card, compliant with Homeland Security Presidential Directive 12 is required for access to CyberScope. No FISMA submissions [are] accepted outside of CyberScope. For information related to CyberScope, please visit: https://max.omb.gov. (The website MAX.gov is only accessible to federal employees.) CIOs, Inspectors General, and Senior Agency Officials for Privacy [all] report through CyberScope. Micro agencies (According to M-11-33, micro agencies are agencies employing 100 or fewer full time equivalents (FTEs)) [also] report using this automated collection tool.  (OMB M-11-33. FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. 9/14/2011).