Presentation is loading. Please wait.

Presentation is loading. Please wait.

FISMA Privacy Reporting Requirements United States Pacific Command (USPACOM) FOIA & Privacy Act Conference Presented by Samuel P. Jenkins, Director for.

Published byDortha Gilmore Modified over 8 years ago

Similar presentations

Presentation on theme: "FISMA Privacy Reporting Requirements United States Pacific Command (USPACOM) FOIA & Privacy Act Conference Presented by Samuel P. Jenkins, Director for."— Presentation transcript:

1 FISMA Privacy Reporting Requirements United States Pacific Command (USPACOM) FOIA & Privacy Act Conference Presented by Samuel P. Jenkins, Director for Privacy, Defense Privacy & Civil Liberties Office January 2011

2 PACOM Conference 2 FISMA & Privacy Reporting Requirements Agenda Federal Information Security Management Act (FISMA) – Division of Responsibilities FISMA Purpose The Reporting Requirements as found in the OMB A- 130, Appendix I The eleven questions that report on annual Agency Privacy Program Oversight FISMA Annual Report to Congress

3 PACOM Conference 3 Federal Information Security Management Act (FISMA) Division of Responsibilities FISMA & Privacy Reporting Requirements

4 PACOM Conference 4 From Report GAO-07-837 INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses,“ July 2007. FISMA & Privacy Reporting Requirements

5 PACOM Conference 5 FISMA & Privacy Reporting Requirements Federal Information Security Management Act Purpose

6 PACOM Conference 6 Origin of FISMA The E-Government Act (Public Law 107-347)E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002. Recognized the importance of information security to the economic and national security interests of the United States. FISMA & Privacy Reporting Requirements

7 PACOM Conference 7 Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA) requires: Each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger- Cohen Act), explicitly emphasizes a risk-based policy for cost- effective security. FISMA & Privacy Reporting Requirements

8 PACOM Conference 8 In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to: Plan for security Ensure that appropriate officials are assigned security responsibility Periodically review the security controls in their information systems Authorize system processing prior to operations and, periodically, thereafter FISMA & Privacy Reporting Requirements

9 PACOM Conference 9 In June 2005, OMB issued memo M-05-15, “FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management” which: Initiated a number of questions regarding agency’s privacy program (Section D of the report) Senior Agency Official for Privacy. These questions related, in part, to agency implementation of the privacy provisions of the E- Government Act of 2002. FISMA & Privacy Reporting Requirements

10 PACOM Conference 10 In April 2010, OMB issued memo M-10-15 “FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management ” which formed a comprehensive context for security and privacy of Federal information across government to include: The number of each type of privacy reviews conducted during the last fiscal year; Information about the advice-formal written policies, procedures, guidance, or interpretations of privacy requirements. FISMA & Privacy Reporting Requirements

11 PACOM Conference 11 OMB memo M-10-15 “FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management” (Continued) The number of written complaints for each type of privacy issue allegation received to include:  Process and procedural issues (consent, collection, and appropriate notice);  Redress issues (non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy matters); or  Operational issues (inquiries regarding Privacy Act matters not including Privacy Act requests for access and/or corrections); For each type of privacy issue received for alleged privacy violations, the number of complaints the agency referred to another agency with jurisdiction. FISMA & Privacy Reporting Requirements

12 PACOM Conference 12 OMB and Annual FISMA Reporting: Senior Agency Official for Privacy (SAOP) Questions FISMA & Privacy Reporting Requirements

13 PACOM Conference 13 Assignment of Responsibilities OMB Circular No. A-130, “Management of Federal Information Resources,” November 28, 2000, Appendix 1.3.a. states:  All Federal Agencies. In addition…the head of each agency shall ensure that the reviews are conducted as often as specified in the accompanying chart. (next slide)  Prepare to report to the Director, OMB, the results of such reviews and the corrective action taken to resolve problems uncovered. FISMA & Privacy Reporting Requirements

14 PACOM Conference 14 OMB Circular No. A-130 Appendix 1., Privacy Reviews RequirementPeriodicity 1. Matching ProgramsReview annually 2. Recordkeeping PracticesBiennially 3. Privacy Act TrainingBiennially 4. ViolationsBiennially 5. Systems of Records NoticesBiennially 6. Section (m) ContractsEvery two years a random sample of agency contracts 7. Routine Use DisclosuresEvery four years 8. Exemption of Systems of RecordsEvery four years FISMA & Privacy Reporting Requirements

15 PACOM Conference 15 Question 1: Information Security Systems Identify: the number of agency and contractors systems that contain Federal information in identifiable form the number of agency and contractor systems for which a Privacy Impact Assessment (PIA) is required under the E-Gov Act the number of agency and contractor systems covered by an existing PIA the number of systems for which a system of records notice (SORN) is required under the Privacy Act the number of systems for which a current SORN has been published in the Federal Register FISMA & Privacy Reporting Requirements

16 PACOM Conference 16 Question 2: Links to PIAs and SORNS Provide the URL of the centrally located page on the agency web site listing working links to agency PIAs. Provide the URL of the centrally located page on the agency web site listing working links to the published SORNs. FISMA & Privacy Reporting Requirements

17 PACOM Conference 17 Question 3: Senior Agency Official for Privacy (SAOP) Responsibilities Yes or No—Can your agency demonstrate through documentation that the privacy official: Participates in all agency information privacy compliance activities (i.e., privacy policy as well as IT information policy); Participates in evaluating the privacy implications of legislative, regulatory, and other policy proposals, as well as testimony and comments under OMB Circular A-19; Participates in assessing the impact of the agency’s use of technology on privacy and the protection of personal information? FISMA & Privacy Reporting Requirements

18 PACOM Conference 18 Question 4: Information Privacy Training and Awareness Does your agency have: A policy to ensure that all personnel (employees, contractors, etc.) with access to Federal data are generally familiar with information privacy laws, regulations and policies, and understand the ramifications of inappropriate access and disclosure? A program for job-specific and comprehensive information privacy training for all personnel (employees, contractors, etc.) directly involved in the administration of personal information or information technology systems, or with significant information security responsibilities? FISMA & Privacy Reporting Requirements

19 PACOM Conference 19 Question 5: Does the agency have a written policy or process for each of the following? PIA Practices: Determining whether a PIA is needed Conducting a PIA Evaluating changes in technology or business practices that are identified during the PIA process Ensuring systems owners, privacy officials, and IT experts participate in conducting the PIA Making PIAs available to the public as required by law and OMB policy Monitoring the agency’s systems and practices to determine when and how PIAs should be updated Assessing the quality and thoroughness of each PIA and performing reviews to ensure that appropriate standards for PIA are maintained FISMA & Privacy Reporting Requirements

20 PACOM Conference 20 Question 5: Does the agency have a written policy or process for each of the following web privacy practices? Determining circumstances where the agency’s web- based activities warrant additional consideration of privacy implications Making appropriate updates and ensuring continued compliance with stated web privacy policies Requiring machine-readability of public-facing agency web sites (i.e. use of P3P) FISMA & Privacy Reporting Requirements

21 PACOM Conference 21 Question 6: Reviews Mandated by Privacy Act of 1974, the E- Government Act of 2002, and the Federal Agency Data Mining Reporting Act of 2007. Indicate which reviews were conducted in the last year for the following: Requires a Check MarkRequires a Number Section M ContractsExemptions Records PracticesMatching Programs Routine UsesSystem of Records TrainingPrivacy Act, (e)(3) Statements Violations: Civil Action and Remedial Action Privacy Impact Assessments and Updates Data Mining Impact Assessment FISMA & Privacy Reporting Requirements

22 PACOM Conference 22 Question 7: Written Privacy Complaints Indicate the number of written complaints for each type of privacy issue received by the SAOP or others at the agency Process and Procedural -- consent, collection, and appropriate notice Redress -- non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy matters Operational -- inquiries regarding Privacy Act matters not including Privacy Act requests for access and/or correction Referrals – complaints referred to another agency with jurisdiction FISMA & Privacy Reporting Requirements

23 PACOM Conference 23 Question 8: Policy Compliance Review Does the agency:  have current documentation demonstrating review of compliance with information privacy laws, regulations, and policies?  Use technologies that enable continuous auditing of compliance with stated privacy policies and practices?  Coordinate with the agency's Inspector General on privacy program oversight? Can the agency provide documentation of planned, in progress, or completed corrective actions necessary to remedy deficiencies identified in compliance reviews? FISMA & Privacy Reporting Requirements

24 PACOM Conference 24 Question 9: Information About Advice Provided by the SAOP (Yes or No) Indicate if the SAOP has provided formal written advice or guidance in each of the listed categories, and briefly describe the advice or guidance if applicable. The categories are: Agency policies, orders, directives, or guidance governing agency handling of personally identifiable information’ Written Agreements (either Interagency or with Non-Federal Entities) pertaining to information sharing, computer matching, and similar issues The agency’s practices for conducting, preparing, and releasing SORNs and PIAs Reviews or feedback outside of the SORN and PIA process (e.g. formal written advice in the context of budgetary or programmatic activities or planning) Privacy Training (either stand-alone or included with training on related issues)  Provide the number of employees (or contractors) who participated in the training. FISMA & Privacy Reporting Requirements

25 PACOM Conference 25 Question 10: Agency Use of Persistent Tracking Technology Indicate Yes or No for each item below: Does the agency use web management and customization technologies on any web site or application? Does the agency annually review the use of web management and customization technologies to ensure compliance with all laws, regulations, and OMB guidance? Can the agency demonstrate, with documentation, the continued justification for, and approval to use, web management and customization technologies? Can the agency provide the notice language or citation for the web privacy policy that informs visitors about the use of web management and customization technologies? FISMA & Privacy Reporting Requirements

26 PACOM Conference 26 Question 11: Privacy Points of Contact Information Please provide the names, phone numbers, and e-mail addresses of the following officials: Agency HeadChief Privacy Officer Chief Information OfficerPrivacy Advocate Agency Inspector GeneralPrivacy Act Officer Chief Information Security OfficerReviewing Official for PIAs Senior Agency Official for PrivacyPOC for URL links provided in question #2 FISMA & Privacy Reporting Requirements

27 PACOM Conference 27 Federal Information Security Management Act (FISMA) Privacy Reporting at the Agency Level FISMA & Privacy Reporting Requirements

28 PACOM Conference 28 Conclusion: Our Agency Annual FISMA Reporting to OMB. From Report GAO-07-837 INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses,“ July 2007. FISMA & Privacy Reporting Requirements

29 PACOM Conference 29 Resources OMB Memorandum M-10-15, of April 21, 2010 “FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management.” Office of Management and Budget Circular No. A-130, November 28, 2000 “Management of Federal Information Resources” Federal Information Security Management Act of 2002 (Pub. L. 107- 347). OMB Memorandum M-07-16, of May 22, 2007 “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.” FY 2008 Report to Congress on Implementation of The Federal Information Security Management Act of 2002. GAO Report 07-837: INFORMATION SECURITY, Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses, July 2007.

Download ppt "FISMA Privacy Reporting Requirements United States Pacific Command (USPACOM) FOIA & Privacy Act Conference Presented by Samuel P. Jenkins, Director for."

Similar presentations

June 27, 2005 Preparing your Implementation Plan.

June 27, 2005 Preparing your Implementation Plan.
MONITORING OF SUBGRANTEES

MONITORING OF SUBGRANTEES
Management Internal Control Program Presented by: USU Manager's Internal Control Program Team Office of Accreditation and Organizational Assessment.

Management Internal Control Program Presented by: USU Manager's Internal Control Program Team Office of Accreditation and Organizational Assessment.
Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Overview of the Privacy Act

Overview of the Privacy Act
Washington Headquarters Services Executive Services Directorate Information Management Division OMB Collection Number Paperwork Reduction Act – DoD Public.

Washington Headquarters Services Executive Services Directorate Information Management Division OMB Collection Number Paperwork Reduction Act – DoD Public.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
New Uniform Guidance Combines the requirements of OMB Circulars A-21, A-87, A-110, A-122, A-89, A-102, A-133, and A-50 into a streamlined format. *NOTE:

New Uniform Guidance Combines the requirements of OMB Circulars A-21, A-87, A-110, A-122, A-89, A-102, A-133, and A-50 into a streamlined format. *NOTE:
Subrecipient Monitoring CCIA Spring Conference Sheena Tran, Rancho Santiago CCD Tania Walden, Los Rios CCD Tracy Young, Coast CCD May 2013.

Subrecipient Monitoring CCIA Spring Conference Sheena Tran, Rancho Santiago CCD Tania Walden, Los Rios CCD Tracy Young, Coast CCD May 2013.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.

1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
The Department of Defense Intelligence Oversight Program

The Department of Defense Intelligence Oversight Program
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.

Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.
Annual Army FOIA/Privacy/Records Management Conference Privacy Leadership – Accountability - Action presented by Samuel P. Jenkins, Director Defense Privacy.

Annual Army FOIA/Privacy/Records Management Conference Privacy Leadership – Accountability - Action presented by Samuel P. Jenkins, Director Defense Privacy.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
CALIFORNIA DEPARTMENT OF EDUCATION Tom Torlakson, State Superintendent of Public Instruction Uniform Complaint Procedures Monitoring Requirements Training.

CALIFORNIA DEPARTMENT OF EDUCATION Tom Torlakson, State Superintendent of Public Instruction Uniform Complaint Procedures Monitoring Requirements Training.

Similar presentations

Ads by Google