State Dept. privacy practices seen as 'satisfactory' in report to CongressBy Jaikumar Vijayan
March 21, 2008
March 21, 2008 (Computerworld) The revelation that three contract workers at the U.S. Department of State illegally accessed confidential passport records belonging to three presidential candidates comes just weeks after a report in which the agency's Inspector General gave it a "satisfactory" rating for its privacy practices.
The assessments were released in an annual report to Congress on federal agency compliance with the requirements of the Federal Information Security Management Act (FISMA). The report was released March 1 by the White House's Office of Management and Budget (OMB).
In that report, the State Department got a "satisfactory" rating for the quality of its Privacy Impact Assessment (PIA) processes, as well as its adherence to "existing policy, guidance and standards" with respect to privacy.
Even so, three workers in recent months were able to access the confidential passport records of three presidential candidates: Sens. Barack Obama (D-Ill.), Hillary Clinton, (D-N.Y.) and John McCain (R-Ariz.). Revelations about the breaches erupted late Thursday; top-level State Department officials said they were unaware of the incidents.
PIAs are required for all federal agencies under the E-Government Act of 2002. It mandates that each agency look at how it collects, maintains, uses, disseminates and controls access to personally identifiable information. Guidance from the OMB lists several situations where such assessments are mandated, including when projects are being initiated or when new technologies -- such as Web-enabled access to records -- are implemented.
The OMB report shows that the Department of State has a total of 117 systems containing identity information. Out of those, 91 are maintained directly by the agency while 26 are managed by contractors. The agency has completed PIAs on 85 of those systems, or about 93% of the total that require the assessments. None of the systems that require a PIA appears to be managed by a contractor.
Of the 118 systems that required a Systems of Records Notice in 2007, 95 are managed by the agency, while the rest are handled by contractors.
The FISMA report also shows that the Department of State has various written policies covering privacy, as well as training programs to ensure that all agency personnel and contractors with access to federal data are "generally familiar with information privacy laws regulations and policies and understand the ramifications of inappropriate access and disclosure." The department also offers job-specific information privacy training, the FISMA report shows.
In comments made when the report was released, de facto federal CIO Karen Evans noted that this was the first time that federal agencies were being asked to detail their privacy practices as part of the FISMA reporting requirements. Starting next year, all agencies will also be asked to provide an assessment of the quality of the processes they have implemented.
"If state is 'satisfactory' today, think how bad things must be at the Department of Defense, which was the only department to receive a 'failing' rating on their privacy impact assessment implementation," said Ari Schwartz, deputy director at the Center for Democracy and Technology, a Washington-based rights advocacy group.
The embedded link to the March 1, 2008 OMB report, referenced in the article above, looks as if it no longer contains the March 1 report.
What follows below is perhaps the same report, found at the web site of the OMB:
"Fiscal Year 2007 Report to Congress on Implementation of the Federal Information Security Management Act (FISMA) of 2002" Department of State was **graded favorably** on its Privacy Impact Assessment up until December, 2007.
Indeed, after multiple breaches of Barack Obama's passport files on
January 9, February 21, and March 14, 2008, I wonder what an "unsatisfactory" rating would entail??
Secretary of State Condoleezza Rice tells reporters that she has apologized to Democratic presidential candidate Sen. Barack Obama, D-Ill., for an incident in which State Department contractors unnecessarily reviewed his passport file, Friday, March 21, 2008, at the State Department in Washington, during a meeting with Brazil's Defense Minister Nelson Jobim. Rice said she would be "disturbed" if her passport file was viewed in such an unauthorized manner. (AP Photo/J. Scott Applewhite)
More interesting facts in this investigation:
The two contracting companies involved in the unauthorized passport file access are
Stanley, Inc., and
The Analysis Corp..
The
companies that provided the contractors were The Analysis Corp. and Stanley Inc. Stanley is a Virginia-based company that earlier this week won a five-year, $570-million government contract extension to support passport services.
According to agency officials, the first Stanley employee improperly accessed Obama's records on Jan. 9 and was fired within days. The second contractor, employed by The Analysis Corp., pried into similar records on Feb. 21 but was not terminated. The third incident involved another Stanley employee and was swiftly fired.
It was not immediately clear why the contractor with The Analysis Corp. had not been fired, while the two Stanley consultants had.
There is a
political donation by Philip Nolan, an executive at Stanley, Inc , for $1,000 to Hillary Clinton, dated February 20, 2008.