Nearly five years after standards were established for how federal agencies should incorporate privacy concerns into their risk management strategies, many have still failed to do so, illustrating the major hurdles the U.S. government faces in safely collecting and storing a wide range of personal data that relates to everything from peoples’ health care information to national security.
In 2018, the National Institute of Standards and Technology published a framework for how agencies should go about incorporating privacy into their risk management tools, but a FedScoop and CyberScoop review finds that several agencies — including the State Department, NASA and the Department of Housing and Urban Development — are still working on meeting privacy recommendations first written during the Obama administration. For other agencies, including the Department of the Interior and Justice Department, it’s not clear what progress has been made to meet these goals.
These findings come a year after a report from the Government Accountability Office concluded that 14 agencies had failed to incorporate privacy into their risk management strategies. Federal agencies’ delays in meeting these standards illustrate both the complexity of managing privacy concerns among an ever-growing federal IT bureaucracy and a lack of consequences for failing to implement them.
The lack of implementation has many privacy experts concerned that the federal government is ill-prepared to handle a growing body of data, even as it seeks to accelerate a digital transformation and embrace data-reliant technologies like artificial intelligence.
“One of the reasons that you see such checkered compliance is that there really aren’t consequences for an agency failing to produce a risk management framework or privacy impact assessment or other privacy documentation that it’s obligated to produce,” said John Davisson, senior counsel and director of litigation at the Electronic Privacy Information Center.
A tool to address privacy risks
They have a wonky name, but risk management strategies serve as frameworks for federal agencies to manage the myriad technologies and information at their disposal. These strategies are supposed to help agencies implement controls and policies and assist in protecting all sorts of sensitive data, from citizens’ health care information to national security systems.
“What the risk management framework would tell you to do is that you need to look at the reward of or the benefit of collecting that information,” said Walter Haydock, founder and CEO of the AI company StackAware and a former adviser to the House Committee on Homeland Security.
The stakes are high for deciding what information to collect and how to store and protect that material, especially amid surging cyberattacks, growing reliance on third-party software providers and the arrival of new forms of emerging technology, like AI.
Davisson pointed to the Census Bureau’s proposal to add a citizenship question to the 2020 census — which was ultimately not included — as an example of why these strategies matter. “It enhances privacy risks for census respondents and has a secondary knock-on effect of reducing census response rates,” Davisson said. “That is the type of consideration that an agency that has not developed a coherent risk management framework might not even know to take into account.”
The requirement to implement privacy-aware risk management frameworks is described in Office of Management and Budget Circular A-130, which references agencies’ responsibilities for managing and protecting information. NIST special publication 800-37, which was originally published in 2010 and subsequently revised, offers a framework for incorporating privacy into risk management tools, including roles for different federal officers and recommendations for evaluating various information systems.
But agencies are still working to fulfill the framework outlined by NIST. The State Department said that staff expect to finish an updated strategy by April of next year. NASA, meanwhile, has created a draft enterprise cybersecurity risk management strategy that it anticipates will be finished at some point in fiscal year 2024. The Departments of Defense and Housing and Urban Development expect to complete their strategies in the first half of calendar year 2024.
The Department of Energy, according to the GAO, aims to complete efforts to incorporate privacy into its risk management approach by the end of this month. Ann Dunkin, the DOE’s chief information officer, told FedScoop that the agency is developing new policies for both its cybersecurity and privacy in order to “strengthen our combined risk management approach.”
She added that the privacy team plans to reissue its privacy directive, “which lays out the move to risk management and memorializes the importance of the Privacy Continuous Monitoring Program and the adoption of privacy controls in all systems that collect, maintain, or use personally identifiable information.”
The Department of Homeland Security told FedScoop that it is continuing to provide the GAO with updates on progress toward establishing an organization-wide enterprise risk management strategy. The GAO noted in February that it had not received any updates from the agency. DHS did not provide an expected date of completion.
Other agencies appear unresponsive. The Department of Interior, for example, did not respond to a request for comment or provide the GAO with updates when the office reviewed the status of its privacy recommendations in February. Other agencies, including the Department of Justice and HUD, have disputed the GAO’s findings about their failure to incorporate privacy into risk management frameworks.
Both the GAO and subsequent FedScoop analyses were limited to agencies that fall under the Chief Financial Officers Act, which gives OMB responsibility for directing federal CFOs regarding the management and modernization of systems. The GAO told FedScoop that it has been “following up with agencies on an ongoing basis” to address compliance with these requirements as recently as September.
Privacy experts argue that risk management strategies to address privacy are pivotal in forcing agencies to realize the magnitude of the hazards they face if they fail to adequately protect data.
“I think the goal of putting that into guidance and with NIST guidance is really to kind of elevate privacy as a risk on par with other enterprise risk,” said Jamie Danker, senior director of cybersecurity and privacy services at Venable and former chief privacy officer at DHS’s Cybersecurity and Infrastructure Security Agency.
‘The privacy threat environment’
Some agencies say they’ve seen success incorporating privacy into their risk management strategies. As part of its risk management process, the Department of Veterans Affairs, for example, has continued to reduce its use of social security numbers as identifiers, including by establishing pilot projects, creating a program management office and approving the use of an alternative number, a spokesperson told FedScoop.
Still, even agencies that have made greater progress in incorporating privacy concerns into their risk management strategies face challenges.
“VA’s Office of Information and Technology must secure the privacy for a large, diverse enterprise, including over 16 million Veterans, 400k employees, 1300+ Care sites, 300+ Vet Centers, 56 Regional Offices,155 cemeteries, and over 1,000 IT systems,” Joseph Williams, a public affairs specialist at the VA, said in a statement to FedScoop. “The privacy threat environment is vast and ever changing.”
Several agencies report hiring and resources hurdles in meeting privacy requirements. Both HUD and the Environmental Protection Agency told FedScoop that they were impacted by a limited number of privacy-focused staff. At the EPA, the roles of agency privacy officer and national privacy program analyst were unfilled for more than two years and were instead occupied by temporary employees, according to Dominique Joseph, an agency spokesperson.
Emerging technologies add to the need for strong privacy risk practices. In 2022, 20 of 24 CFO Act agencies reported a lack of federal guidance for newer technologies, such as cloud services and AI, as a challenge to applying privacy requirements. The White House has issued cloud cybersecurity guidance and OMB is preparing to release new AI guidance, but the slow pace in implementing standards that were first issued in 2018 illustrate the magnitude of the challenge facing the government in responding to the risks posed by these newer technologies.
“The reason that it rings true is the risk management framework prescribed by NIST 800-37 requires an extremely complex series of documents and approvals and checks and things like that,” added Haydock, the StackAware executive. “Folks are very content with the old way of doing business, mainly because people don’t get fired.”