Memorandum 06-19 was issued by the Office of Management and Budget in July 2006 to update the reporting requirements for data breaches involving personally identifiable information. It also addressed the need to budget in anticipation of providing adequate data security.
Reporting Security Incidents
Under the Federal Information Security Management Act, all government agencies must alert the U.S. Computer Emergency Readiness Team (US-CERT) of any potential or confirmed security violations. Response times and procedures vary according to the type of violation. OMB 06-19 decreased the reporting time for incidents involving personally identifiable information to within one hours of its detection or discovery. This helps to facilitate prompt, efficient response to security and privacy threats. Security violations involving PII must be reported regardless of whether the information is stored physically or electronically.
Incorporating Security Funding Into Information Technology Investments
The second part of M-06-19 reiterated past memoranda which addressed budgeting for security funding with regard to information technology. When developing fiscal year budgets, agencies should:
- Use M-00-07 as a guidelines for preparing budget policy
- Ensure that security and funding is integrated into information technology at all stages of development and use
- Ensure current standards meet existing requirements so that new funds may be spent on developing new or improved systems
- Address how funds and resources are allocated between correcting current weaknesses in security and developing new IT
- Consider M-06-15 “Safeguarding Personally Identifiable Information” and M-06-16 “Protection of Sensitive Agency Information” when considering any improvements or changes to IT investments.
Memorandum 04-26 was issued in September 2004 regarding personal use policies for employees accessing government computers and the use of file sharing technology.
File sharing technology, also known as P2P (peer-to-peer) networking allows users to upload music, photos, videos, and other files to allow mass distribution. P2P networks do not depend on a single network or server to support all of the requests, but rather draws resources and bandwidth from users’ computers to support the transfer of files. While file sharing technology in itself is not illegal, there are many problems associated with it. Most e-piracy takes place through P2P networks, allowing individuals to download movies, music, books, pornography and other media content without paying. Furthermore, P2P networks facilitate the transmission of computer viruses.
The use of file sharing technology on government computers or networks is prohibited to prevent employees from engaging in illicit activities and/or compromising the security of privacy of the information maintained by the U.S. Government.
Directions to Agencies to Prevent File Sharing
M-04-26 directed agencies to take the following steps to protect Government information systems from problems associated with P2P technology:
1. Establish or Update Agency Personal Use Policies to be Consistent with CIO Council Recommended Guidance
All agencies must develop personal use policies outline the proper use of government information technology for the government employees that use them. Personal use policies should address the user’s responsibilities, possible consequences and include provisions against use of P2P technology
2. Train All Employees on Personal Use Policies and Improper Uses of File Sharing
In addition to receiving personal use policies, all employees should receive training on how personal use policies relate to their specific responsibilities towards maintaing the security and privacy of data.
3. Implement Security Controls to Prevent and Detect Improper File Sharing
Agencies should use NIST standards to implement internal security controls that prevent the access and use of P2P technology on government computers.
Memoranda from the Office of Management and Budget usually do not create all new privacy and security legislation. Rather, they amend or add to existing regulations. Often the changes may be small, such as in M-06-19 and M-04-26, however it does not make them less important. OMB memoranda allow privacy and security practices to be an ongoing process within the Federal government and strengthen the protections guaranteed to us under U.S. law.
CIPP/G Candidate Preparation
In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:
- OMB Memorandum 04-26 (II.A.c.i.2.c)
- OMB Memorandum 06-15 (II.A.c.i.2.e)