It’s a common refrain for many reports from the Government Accountability Office (GAO), “Progress Made, Challenges Remain.” As privacy risk management is a relatively new topic for most federal agencies to account for, it’s not surprising that challenges remain when it comes to embedding it into federal privacy programs. Last month Cyberscoop published an article highlighting findings from a year-old GAO report on privacy programs at 24 federal agencies. While the report didn’t make big headlines at the time of its publication, the Cyberscoop article’s timing is pretty consistent with the pace of privacy making its way into the enterprise risk discussion.
The 2022 GAO report demonstrates federal privacy programs are keeping on top of their compliance obligations - mostly governed by the Privacy Act of 1974 and Section 208 of the E-Government Act -- requiring agencies to conduct Privacy Impact Assessments (PIAs). Coordination between privacy and other programs or functions such as information security, IT budget and acquisition, as well as incident response was not as strong as compliance but mostly addressed. Not surprisingly, federal agencies were falling behind in privacy risk management. Given the integration of privacy into traditionally security-focused guidance from the National Institute of Standards and Technology (NIST) over the past 15 years, these findings are not surprising.
In 2010, aside from controls protecting the confidentiality of data, a shared privacy and security interest, there was a single control in NIST signature Special Publication 800-53 for conducting PIAs (“PL-5” for the privacy nerds out there). The title of the publication was “Security Controls for Federal Information Systems.”
Fast forward to 2013 and privacy starts making a splash in 800-53 Rev 4 with the addition of Appendix J, a set of Fair Information Practice Principle based privacy controls. Privacy also breaks its way into the main title of the publication now called “Security and Privacy Controls for Federal Information Systems and Organizations.” Seven years later in 2020, the most recent revision of SP 800-53, Revision 5 was published and reflects privacy controls that are no longer relegated to an appendix.
Integrating these controls requires considerable collaboration between security and privacy programs, and the GAO findings reflect this trend. Privacy risk management concepts and requirements are relatively “new” in the history of federal privacy programs, first appearing in the Office of Management and Budget’s overhaul of A-130 in 2017 and followed by a significant update to the NIST Risk Management Framework, SP 800-37 in 2018 which included privacy for the first time.
If a similar review was conducted 10 years ago, it would look quite different. For starters, the primary focus would be on Privacy Act compliance, as the PIA requirement would still be relatively “new” with uneven results. The concept of privacy risk management wouldn’t have even been a part of study. So even though there’s room for improvement, progress has been made.
Fortunately, there are more tools available to organizations regardless of sector or size, including the newest resource published in 2020 - the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.
Looking ahead, let’s hope federal agency privacy programs can overcome challenges to bring privacy risk management on par with other enterprise risks and change the short title of the future GAO report to “Federal Privacy Programs Crushing it at Privacy.”
Read Next
The International Counter Ransomware Initiative: From Forming and Norming to Performing
Next week the 68 member nations of the International Counter Ransomware Initiative (CRI) will convene in Washington DC for the group’s annual gathering to foster cooperation between nations to combat ransomware.
The Good, the Not So Good, and the Puzzling
The White House Office of National Cyber Director released its summary report on its RFI on Open source software security, checking off another box on the commitments made in the National Cybersecurity Strategy.
Brazil, U.S. Exchange Cybersecurity Best Practices with Digi Americas Alliance Support
Representatives from Brazil and the United States concluded a two-day exchange on cybersecurity best practices hosted by the Digi Americas Alliance on Aug. 8-9 in Washington D.C.