Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information
Evaluation and Inspections Report I-2007-005
June 2007
Office of the Inspector General
Federal Information Security Management Act (FISMA) of 2002 – This Act actually is Title III of the E-Government Act of 2002. It defines federal requirements for securing information and information systems that support federal agency operations and assets and requires agencies to develop agency-wide information security programs. Under FISMA, civilian agencies are required to notify the U.S. Computer Emergency Readiness Team (US-CERT) in the Department of Homeland Security, within certain timeframes based on the type of incident, e.g., data breaches, unauthorized access, or suspicious activity on their networks. In July 2006, OMB expanded the rule to cover all incidents that include PII. FISMA also requires the Inspectors General to conduct an annual independent evaluation of the information security program and practices of every agency. To support agencies in conducting their information security programs, FISMA called for the National Institute of Standards and Technology (NIST) to develop federal standards for the security categorization of federal information and information systems according to risk levels and for minimum security requirements for information and information systems in each security category.
E-Government Act of 2002 – This Act ensures sufficient protection for the privacy of personal information in electronic government systems by requiring that agencies conduct Privacy Impact Assessments (PIA). A PIA is an analysis of how personal information is collected, stored, shared, and managed in a federal system. FISMA is Title III of the E-Government Act.
Privacy Act of 1974 – limits agencies’ collection, maintenance, use, and dissemination of information maintained in a system of records. The purpose of the Privacy Act is to balance the government's need to maintain information about individuals with the right of those individuals to be protected against unwarranted invasions of their privacy. The Act restricts disclosure of protected information; grants individuals the right to access and amend such records; and establishes a code of “fair information practices” that requires agencies to comply with statutory norms for collection, maintenance, and dissemination of records.156
OMB Memorandum M-06-20 (July 17, 2006) – Fiscal year 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. This memorandum provides instructions to all departments and agencies for meeting the fiscal year 2006 requirements of the FISMA Act of 2002. It also adds the requirements that all Inspectors General provide a list of any systems they have found missing from the agency’s inventory of major information systems (as required under the E-Government Act of 2002) and the identification of any physical or electronic incidents involving the loss or unauthorized access to PII and reporting of such in accordance with OMB Memorandum M-06-19.
OMB Memorandum M-06-19 (July 12, 2006) – Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments. This memorandum defines PII and provides updated guidance on the reporting of security incidents involving PII. By issuing this memorandum, OMB required that all security incidents involving PII be reported within 1 hour of the incident’s discovery. US-CERT is required to forward all agency reports to the appropriate Identity Theft Task Force point-of-contact also within 1 hour of notification by an agency. Agencies are also required to identify specific funds they are requesting for correcting any security weaknesses identified by their Inspectors General or the Government Accountability Office.
OMB Memorandum M-06-16 (June 23, 2006) – Protection of Sensitive Agency Information. This memorandum advises heads of Departments and agencies of the NIST Checklist for protection of remote information and recommends additional action to take such as encrypting all data on mobile computers and other devices, allowing remote access only with two-factor authentication, using a time-out function after 30 minutes for remote access, and logging all extractions of sensitive information and verifying that each extract has been erased within 90 days or that its use is still necessary.
OMB Memorandum M-06-15 (May 22, 2006) – Safeguarding Personally Identifiable Information. This memorandum reminds heads of Departments and agencies of their responsibilities under law and policy to safeguard sensitive PII and to train employees on their responsibilities in this area.
OMB Circular A-130 (November 28, 2000) – Management of Federal Information Resources. This circular established policies for the management, collection, and dissemination of federal information resources, as required by the Paperwork Reduction Act of 1980.
DOJ Order 2740.1 (November 7, 2005) – Use and Monitoring of DOJ Computers and Computer Systems. This order states the Department’s policy on the use of departmental computers and computer systems, the lack of expectation of privacy with respect to such use, and authorized monitoring of or access to information on departmental computers and computer systems.
DOJ Order 2880.1B (September 27, 2005) – Information Resources Management Program. This order establishes Department policy governing the planning, management, operation, and use of information technology (IT) resources. It includes a section on information technology security that states in part that, quote:
The Department shall develop and manage an agency wide Information Technology Security Program consistent with the laws and regulations affecting IT Security.
Department IT systems processing Sensitive Compartmentalized Information (SCI) shall have controls implemented consistent with the IT security controls established by the intelligence community. All IT systems that process, store, or transmit SCI shall be coordinated with the CIO prior to development and approved by the Department Security Officer prior to their operation.
DOJ Order 2640.2E (November 28, 2003) – Information Technology Security. This order establishes uniform policy, responsibilities, and authorities for the implementation and protection of Department IT systems that store, process, or transmit classified and unclassified information.
Information Technology Security Approved Standards (December 2003–July 2005) – JMD’s Information Technology Security Staff standards establish the management, operational, and technical controls for the Department’s information systems.
NIST Special Publication 800-53A (April 2006) – Guide for Assessing the Security Controls in Federal Information Systems (Second Public Draft). This publication provides methods and procedures to assess the effectiveness of security controls in federal information systems. The guidance allows federal agencies to develop more secure information systems.
NIST Special Publication 800-53 (February 2005) – Recommended Security Controls for Federal Information Systems. This publication defines minimum security controls needed to provide cost-effective protection for low-, moderate-, and high-impact information systems and the information processed, stored, and transmitted by those systems. These are the standards used for certification and accreditation of federal IT systems.
NIST Special Publication 800-61 (January 2004) – Computer Security Incident Handling Guide. This guide discusses how to organize a security incident response capability and how to handle incidents, including denial of service, malicious code, unauthorized access, and inappropriate use of systems incidents.
Federal Information Processing Standards Publication (FIPS) 200 (March 2006) – Minimum Security Requirements for Federal Information and Information Systems. FIPS Publication 200 specifies minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to satisfy the minimum requirements. In applying the FIPS 200 provisions, agencies categorized their information systems as required by FIPS Publication 199 and selected an appropriate set of security controls from NIST Special Publication 800-53 to satisfy the minimum security requirements. FIPS 200 specifies minimum security requirements for federal information and information systems that represent a broad-based, balanced information security program. The requirements are organized into 17 areas, encompassing the management, operational, and technical aspects of protecting federal information and information systems: access control; audit and accountability; awareness and training; certification, accreditation and security assessments; configuration management; contingency planning; identification and authentication; incident response; maintenance; media protection; personnel security; physical and environmental protection; planning; risk assessment; systems and services acquisition; system and communications protection; and system and information integrity.
Federal Information Processing Standards Publication 199 (February 2004) – Standards for Security Categorization of Federal Information and Information Systems. FIPS 199 is the first standard that was specified by FISMA. It requires agencies to categorize their information and information systems as low-, moderate-, or high-impact based on the potential impact of a loss of confidentiality, integrity, or availability of information or an information system.
« Previous | Table of Contents | Next » |