OMB Memoranda 06-15 and 06-16: Safeguarding Information Maintained by the U.S. Government
In 2006, the Office of Management and Budget published two memoranda back to back dealing specifically with protecting certain types of information maintained by the Federal Government. M-06-15 addresses safeguarding personally identifiable information. M-06-16 deals with the protection of sensitive agency information. Both memoranda reiterate the security requirements of previous regulations, and expand upon them to make them more effective.
M-06-15 served as a reminder to government agencies of their responsibilities towards protecting personally identifiable information.
Under the Privacy Act of 1974 agencies must:
- Establish rules of conduct for individuals working accessing, using or maintaining personally identifiable information. Employees should receive adequate training in their privacy and security responsibilities and be made aware of the consequences of noncompliance with the Privacy Act.
- Implement adequate administrative, technical and physical safeguards to protect personally identifiable information.
M-06-15 asked all Senior Agency Official for Privacy appointed pursuant to M-05-08 to review agency policies to ensure compliance with the Privacy Act. The review was to be included in a report reviewing implementation of an compliance with the Federal Information Security Management Act (FISMA).
M-06-16 described important security controls agencies should use to protect sensitive agency information:
1. All mobile devices that store or access agency data should be encrypted
2. Remote access to agency data must require a two factor authentication process which includes a device separate from the device gaining access
3. Agencies should implement time-out functions on remote access mobile devices that log out a user after 30 minutes of inactivity
4. Agencies must maintain adequate logs of all computer readable data extracts from information systems containing sensitive data. Data that is no longer in use should be erased after 90 days.
M-06-16 also included the National Institute of Standards and Technology (NIST) checklist for remote access:
1. Confirm identification of personally identifiable information protection needs– Any PII that may be at increased risk from remote access must be identified and a risk assessment performed.
2. Verify adequacy of organizational policy– Existing policy should be reviewed to ensure that the procedures and security controls adequately protect PII. Policy should be improved upon if necessary.
3. Implement protections for personally identifiable information being transported and/or stored offsite– This step involves ensuring the proper security controls including encryption are applied to sensitive agency data before it is transported or store away from the main agency network.
4. Implement protections for remote access to personally identifiable– Users should access agency data through a Virtual Private Network (VPN) to ensure proper authentication and security. Security controls should be implemented to limit the ability to access or download PII remotely only to authorized individuals. All sensitive data stored on remote access devices should be encrypted, if policy allows remote storage. If policy does not allow storage of PII on the local hard drive of a remote device, proper security controls should be implemented to allow remote use without local storage of the data
The protection of agency data including sensitive information and personally identifiable information remains a significant concern for government agencies and the Office of Management and Budget. While memoranda 06-15 and 06-16 include no new recommendations or policies, such memoranda enforce the idea that attention to and review of security controls is an ongoing process that must occur regularly to ensure proper protection of agency information.
CIPP/G Candidate Preparation
In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:
- OMB Memorandum 06-15 (II.A.c.2.e)
- OMB Memorandum 06-16 (II.A.c.2.f)