Cybersecurity: Federal Agencies Met Legislative Requirements for Protecting Privacy When Sharing Threat Information

Abstract

Federal agencies and our nation's critical infrastructures, such as communications and financial services, are dependent on information technology systems and electronic data to carry out operations and to process, maintain, and report essential information. The security of these systems and data is vital to public confidence and national security, prosperity, and well-being. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include the protection of critical cyber infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. In December 2015, the President signed the Cybersecurity Information Sharing Act of 2015 into law to encourage the sharing of cyber threat information between the public and private sectors. The act included a provision for GAO to review actions taken by the federal government to remove personal information from cyber threat indicators when shared among federal and nonfederal entities. GAO determined the extent to which seven federal agencies designated by the act developed government-wide policies, procedures, and guidelines for the removal of personal information from cyber threat indicators, pursuant to the act's provisions and fair information practice principles. To do so, GAO gathered and analyzed the policies, procedures, and guideline developed under the act and compared them to eight requirements in the act related to the removal of personal information.

Document Details

Document Type

Technical Report

Publication Date

Dec 06, 2018

Accession Number

AD1156793

Entities

Tags