Federal Information Security Management Act

The Federal Information Security Management Act (FISMA) identifies security controls on the use of PII by federal agencies.

Description

Privacy Impact Assessment

Before records systems can be developed or purchased by a federal agency, they must undergo a Privacy Impact Assessment (PIA). This assessment weights the benefits of the system against the risks of PII misuse or leaks. It also assesses the quality and legal compliance of security controls used in and around the system.

If an established records system that has not undergone a PIA will be newly used to store PII, it is now required to undergo a PIA. Similarly, the digitization of a records system that has not undergone a PIA is required to undergo a PIA.

Exceptions are made for national security systems and paper records systems.

System of Records Notice

If a records system is approved by the PIA, the agency must publish a System of Records Notices (SORN) informing the public of...

• the type of PII that will be collected and stored
• the agency's legal authority to collect this PII
• the security controls used in and around the records system
• how individuals can determine if their PII is stored in the records system
• how individuals can obtain a copy of their PII from the records system

SORNs are published in the Federal Register, and the publication must be completed before any collection may begin.

Disclosures

PII stored in a records system can only be disclosed if (1) the corresponding individual submits a written request to disclose, or (2) has given prior written consent to disclose.

Aside from this, there are 12 categories of permitted disclosures.

1. Disclosure to staff who have a need to know the PII

2. Disclosure as required by FOIA

3. Routine use of the records as established in the SORN

4. Disclosure to the Census Bureau for the purpose of conducting a census or survey

5. Disclosure for statistical analysis or reporting without individual data

6. Disclosure to the NARA

7. Disclosure to a law enforcement agency for the purpose of a civil or criminal investigation
8. Disclosure for compelling or emergency circumstances affecting an individual's health or safety
9. Disclosure to Congress

10. Disclosure to the GAO

11. Disclosure persuant to court order
12. Disclosure to a consumer reporting agency

Office of Management and Budget Memoranda

OMB M-17-12 requires agencies to disclose PII leaks, including...

• Details on the incident and when it occured
• How the incident was discovered
• If leaked information was unencrypted
• Steps being taken to protect affected individuals, including a point of contact
• Details on the internal investigation and remediation

History

FISMA was passed as part of the E-Government Act of 2002.

The act was amended in 2014 by the Federal Information Security Modernization Act.

CategoryRicottone