This part applies to all GSA Information Technology based (IT) systems of records that contain Personally Identifiable Information (PII). Systems of records are groups of records from which information is retrieved by a personal identifier such as name, Social Security Number (SSN), fingerprint, or other unique symbol. Since computer technology has made it possible to store, retrieve, and manipulate data quickly and efficiently, additional safeguards are needed to ensure that personal data contained in IT systems are protected from unauthorized and illegal use.
The following security requirements apply to the protection of PII. For additional information please reference GSA CIO P 2100.1I - GSA Information Technology (IT) Security Policy.
- If it is a business requirement to store PII on GSA user workstations or mobile devices including, but not limited to notebook computers, USB drives, DC-ROMS, personal digital assistants and Blackberries, PII must be encrypted using a FIPS 140-2 certified encryption module. An employee or contractor shall not physically take out PII from GSA facilities (including GSA managed programs housed at contractor facilities under contract), or access remotely (i.e. from locations other than GSA facilities), without written permission from the employee’s supervisor, the data owner, and the IT system authoring official. This applies to electronic media (e.g. laptops, Blackberries, USB drives), paper, and any other media (e.g., CDs/DVDs) that may contain PII.
- PII shall be stored on network drives and/or in application databases with proper access controls (i.e., User ID/password) and shall be made available only to those individuals with a valid need to know.
- Log all computer-readable extracts from databases holding PII and verify each extract including PII has been erased within 90 days or its use is still required.
- Creation of computer-readable data extracts that include PII shall be maintained in an official log including creator, date, type of information, and user.
- If PII needs to be transmitted over the Internet, it must be sent using encryption methods defined in Chapter 5, Paragraph 7 of the GSA IT Security Policy.
- All incidents involving Personally Identifiable Information (PII) must be reported to the GSA OSAISO within one hour of discovering the incident. GSA employees and contractors shall report to their Information Systems Security Officer (ISSO) and the OSAISO. If the ISSO cannot be reached the Information System Security Manager (ISSM) and OSAISO should be contracted. All incidents involving Personally Identifiable Information (PII) in electronic or physical form must be reported. There should be no distinction between suspected and confirmed breaches.
- All incidents involving data breaches which could result in identity theft must be coordinated through the OSAISO and the GSA Management Incident Response Team (MIRT) using the GSA Information Breach Notification Policy (9297.2 HCO) per OMB Memorandum M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.”
- GSA managed computers that collect and store PII must adhere to all PII requirements.
- All GSA employees and contractors must complete security awareness training and Privacy Training 101 annually.
- All GSA employees and contractors must complete security awareness training and Privacy Training 101 within 60 days of employment.
- Continuity of operations plan (COOP) contact lists which only contain a person’s name and home phone number are exempt from GSA IT security policy requirements in Chapter 2, Paragraph 14, sub-section H and Chapter 4, Paragraph 17, sub-section D. COOP contact lists kept on an electronic device that is password protected (Blackberry, handheld device, laptop, USB drive) do not require written permission or encryption. Paper “cascade lists” limited to name and home phone number that are maintained for the purpose of emergency employee accountability are permissible with the approval of those individuals listed. All paper and other media should be kept in a locked facility or an otherwise secure location when not in use.
- Users of IT resources should familiarize themselves with any special requirements for accessing, protecting, and using data, including Privacy Act requirements, copyright requirements, and procurement-sensitive data.
- PII shall not be stored on or accessed from personally owned computers or personally owned mobile devices. PII shall only be accessed from government furnished equipment (GFE) or contractor maintained computers configured in accordance with GSA IT security policy and technical security standards.
- If P11 needs to be emailed within the GSA network, the minimum available encryption is required. If P11 needs to be emailed outside the GSA network encryption is required. Instructions can be found on the privacy web page in the section "Documents for Download." Your email will be blocked if Social Security Numbers are sent unencrypted.
- If P11 needs to be sent by courier, printed, or faxed several steps should be taken. When sending P11 by courier mark "signature required" when sending documents. This creates a paper trail in the event items are misplaced or lost. Don’t let P11 documents sit on a printer where unauthorized employees or contractors can have access to the information. When faxing information use a secure fax line. If one is not available, contact the office prior to faxing, so they know information is coming, and contact them after transmission to ensure they received it. For each event the best course of action is limit access of P11 only to those individuals authorized to handle it, create a paper trail, and verify information reached its destination.
- Ensure employees and contractors have the proper background investigation before accessing P11.
The following responsibilities are specific to GSA IT systems that contain Privacy Act information.
Chief Information Officer (CIO) The CIO has overall responsibility for the GSA IT Security Program and the IT Capital Planning Program, including overseeing security policy for Privacy Act data, reviewing Privacy Impact Assessments prepared by GSA organizations for security considerations, and ensuring that the Privacy Impact Assessments are a part of GSA's IT Capital Planning and Investment Control Policy.
Authorizing Official (AO) Each Service, Staff Office, and Region has an appointed AO whose primary responsibility is to ensure the security of IT systems. Additionally, the AOs are responsible for reviewing and approving PIAs for their organizations and for their organizations and for ensuring that IT systems that handle privacy data meet information privacy and security requirements and for reviewing each existing and proposed IT Privacy Act system in their respective organizations for the need to conduct a PIA, coordinating the preparation of the PIA with program and system managers, and approving the PIA for their organizations.
Program/Project Manager As the official with responsibility for managing programs for which an IT system is established and who manages and controls the operation of the IT system, the Program/Project Manager is responsible for working with the other officials with privacy and security responsibilities (DAA, system developer, contracting officer, privacy officials), on the system's privacy and security issues. This responsibility includes: identifying systems that meet the PIA requirement; coordinating with the system developer, and others who may be involved, on resolving information privacy and security issues; and preparing the PIA before submission to a higher level of authority. Also serves as the point of contact for the system on privacy and security matters.
System Developer/DesignerThe system developer/designer is responsible for ensuring that the IT system design and specifications conform to privacy and security standards and that technical controls are in place for safeguarding personal information.
IT Systems Contracting Officers Responsible for ensuring that IT system privacy and security requirements are incorporated into IT contracts and that GSA vendors and contractors are made aware that Privacy Act information security laws and regulations apply to Federal personnel, vendors, and contractors. Any IT systems that contractors design, develop, maintain, operate, or use, and the data in the systems are subject to these same laws, regulations, and requirements.
In addition to the requirements of the Privacy Act , which affords individuals the right to privacy of records that are maintained in systems of records by Federal agencies and which incorporates the provisions of the Computer Matching and Privacy Protection Act of 1988 (Public Law 100-503) and the Computer Matching and Privacy Protection Amendments, both of which address electronic sharing of information, the following laws and regulations establish the basic requirements for Federal IT systems.
The E-Government Act of 2002 (Public Law 107-347) aims to ensure privacy in the conduct of Federal information activities. Section 208 of the law specifically requires agencies to conduct Privacy Impact Assessments for electronic information systems.
The Federal Information Security Management Act of 2002 (Title III of Public Law 107-347) establishes security practices for Federal computer systems and, among its other system security provisions, requires agencies to conduct a periodic assessment of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency; and address information security throughout the life cycle of each agency information system.
OMB Circular A-130 Appendix III, Security of Federal Automated Information Resources, requires Federal agencies to implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications and review the security controls in each system when significant modifications are made to the system, but at least every three years.