State Dept. privacy practices seen as 'satisfactory' in OMB report to Congress (March 1, 2008)

March 21, 2008 (Computerworld) The revelation that three contract workers at the U.S. Department of State illegally accessed confidential passport records belonging to three presidential candidates comes just weeks after a report in which the agency's Inspector General gave it a "satisfactory" rating for its privacy practices.
The assessments were released in an annual report to Congress on federal agency compliance with the requirements of the Federal Information Security Management Act (FISMA). The report was released March 1 by the White House's Office of Management and Budget (OMB).

In that report, the State Department got a "satisfactory" rating for the quality of its Privacy Impact Assessment (PIA) processes, as well as its adherence to "existing policy, guidance and standards" with respect to privacy.
Even so, three workers in recent months were able to access the confidential passport records of three presidential candidates: Sens. Barack Obama (D-Ill.), Hillary Clinton, (D-N.Y.) and John McCain (R-Ariz.). Revelations about the breaches erupted late Thursday; top-level State Department officials said they were unaware of the incidents.

PIAs are required for all federal agencies under the E-Government Act of 2002. It mandates that each agency look at how it collects, maintains, uses, disseminates and controls access to personally identifiable information. Guidance from the OMB lists several situations where such assessments are mandated, including when projects are being initiated or when new technologies -- such as Web-enabled access to records -- are implemented.
The OMB report shows that the Department of State has a total of 117 systems containing identity information. Out of those, 91 are maintained directly by the agency while 26 are managed by contractors. The agency has completed PIAs on 85 of those systems, or about 93% of the total that require the assessments. None of the systems that require a PIA appears to be managed by a contractor.
Of the 118 systems that required a Systems of Records Notice in 2007, 95 are managed by the agency, while the rest are handled by contractors.

The FISMA report also shows that the Department of State has various written policies covering privacy, as well as training programs to ensure that all agency personnel and contractors with access to federal data are "generally familiar with information privacy laws regulations and policies and understand the ramifications of inappropriate access and disclosure." The department also offers job-specific information privacy training, the FISMA report shows.
In comments made when the report was released, de facto federal CIO Karen Evans noted that this was the first time that federal agencies were being asked to detail their privacy practices as part of the FISMA reporting requirements. Starting next year, all agencies will also be asked to provide an assessment of the quality of the processes they have implemented.

"If state is 'satisfactory' today, think how bad things must be at the Department of Defense, which was the only department to receive a 'failing' rating on their privacy impact assessment implementation," said Ari Schwartz, deputy director at the Center for Democracy and Technology, a Washington-based rights advocacy group.

The companies that provided the contractors were The Analysis Corp. and Stanley Inc. Stanley is a Virginia-based company that earlier this week won a five-year, $570-million government contract extension to support passport services.

According to agency officials, the first Stanley employee improperly accessed Obama's records on Jan. 9 and was fired within days. The second contractor, employed by The Analysis Corp., pried into similar records on Feb. 21 but was not terminated. The third incident involved another Stanley employee and was swiftly fired.

It was not immediately clear why the contractor with The Analysis Corp. had not been fired, while the two Stanley consultants had.