Good Ideas From the Fed—No, really!

Don Miller

In an earlier post, MFT Nation critiqued the U.S. Federal Government’s (the “Feds”) recently revised data security policies entitled Circular No. A-130, Managing Information as a Strategic Resource (the “Circular”).  In that earlier post, we focused on the not-so-good aspects of the Circular.  We also promised to discuss the positive aspects in the future, which is the purpose of this post.

The Feds claim the Circular will “drive the transformation of the Federal Government and the way it builds, buys, and delivers technology by institutionalizing more agile approaches intended to facilitate the rapid adoption of changing technologies, in a way that enhances information security, privacy, and management of information resources across all Federal programs and services.”  (This sentence is what an English teacher would call a “run on” sentence).  To achieve such laudable goals, the Feds say they focused on the following three elements when drafting the Circular:

  • Real Time Knowledge of the Environment.  In today’s rapidly changing environment, threats and technology are evolving at previously unimagined speeds.  In such a setting, the Government cannot afford to authorize a system and not look at it again for years at a time.  In order to keep pace, we must move away from periodic, compliance-driven assessment exercises and, instead, continuously assess our systems and build-in security and privacy with every update and re-design.  Throughout the Circular, we make clear the shift away from check-list exercises and toward the ongoing monitoring, assessment, and evaluation of Federal information resources.
  • Proactive Risk Management.  To keep pace with the needs of citizens, we must constantly innovate.  As part of such efforts, however, the Federal Government must modernize the way it identifies, categorizes, and handles risk to ensure both privacy and security.  Significant increases in the volume of data processed and utilized by Federal resources requires new ways of storing, transferring, and managing it Circular A-130 emphasizes the need for strong data governance that encourages agencies to proactively identify risks, determine practical and implementable solutions to address said risks, and implement and continually test the solutions.  This repeated testing of agency solutions will help to proactively identify additional risks, starting the process anew.
  • Shared Responsibility.  Citizens are connecting with each other in ways never before imagined.  From social media to email, the connectivity we have with one another can lead to tremendous advances.  The updated A-130 helps to ensure everyone remains responsible and accountable for assuring privacy and security of information – from managers to employees to citizens interacting with government services.

This is all good stuff.  Data security policies should focus on real-time knowledge of the environment, proactive risk management and shared responsibility.  In fact, bTrade focused on these and other concepts when developing its TDXchange software solution.  But again, it’s just amazing the Feds waited until 2016 to come to this realization and finally draft data security policies around these concepts.  But I digress.  Back to the topic—positive aspects of the Circular.

Appendix I establishes minimum requirements for information security programs and assigns responsibilities for the security of information and information systems.  Appendix I requires agencies to do such things as:

  • Perform ongoing reauthorization of systems (replacing the triennial reauthorization process) to better protect agency information systems;
  • Continuously monitor, log, and audit user activity to protect against insider threats;
  • Periodically test response procedures and document lessons learned to improve incident response;
  • Encrypt moderate and high impact information at rest and in transit;
  • Ensure terms in contracts are sufficient to protect Federal information;
  • Implement measures to protect against supply chain threats;
  • Provide identity assurance for secure government services; and,
  • Ensure agency personnel are accountable for following security and privacy policies and procedures.

Again, this is all good stuff.  For many years now, the Feds have required the private sector to incorporate such data security practices into their businesses.

Appendix II outlines some of general responsibilities for managing personally identifiable information (PII).  Appendix II summarizes requirements in the following areas:

  • Establishing and maintaining a comprehensive, strategic, agency-wide privacy program;
  • Designating senior agency officials for privacy;
  • Managing and training an effective privacy workforce;
  • Conducting Privacy Impact Assessments (PIA);
  • Applying NIST’s Risk Management Framework to manage privacy risks in the information system development life cycle;
  • Using the fair information practice principles when evaluating information systems, processes, programs, and activities that affect privacy;
  • Maintaining an inventory of PII and reducing PII usage to the minimum necessary for the proper performance of authorized agency functions; and,
  • Limiting the creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of PII to that which is legally authorized, relevant, and reasonably deemed necessary for the proper performance of agency functions.

Such data security policies can already be found throughout the private sector.  It is the type of ecosystem for data security and privacy which businesses have been recognizing and adopting for many years now. Governmental agencies are being told that they have to develop a culture of privacy and security protection within their organizations and are being given the framework to follow.

The Circular is definitely needed given recent cyberattacks affecting the Fed.  In addition, it is hard for the U.S. government to expect businesses in the private sector to do something the government does not do itself.

Let’s hope the Feds don’t go another 16 years until the next update.