Agencies are on the hook to publicly release more digital data in a way that protects citizen’s personal information and does not comprise government security.
One challenge, however, will be determining how that data could be combined with existing public data to identify an individual or pose other security risks to agencies, according to experts speaking at ACT-IAC’s annual Management of Change conference this week.
“The awareness is there, the concern is there, [but] the practice of it is relatively immature,” said Mike Howell, deputy program manager in the Office of the Program Manager of the Information Sharing Environment. “The policy framework around how you prevent inadvertent aggregation of personal identifiable information [and] sensitive information, it’s a known problem. It’s good that people are paying attention, but it becomes incumbent on whoever the aggregator is what they do with that information.”
Howell, whose office falls under the Office of the Director of National Intelligence, highlighted the administration’s recent Open Data policy that refers to this issue as the mosaic effect. The policy memo, released this month, directs agencies to:
Consider other publicly available data –in any medium and from any source-to determine whether some combination of existing data and the data intended to be’ publicly released could allow for the identification of an individual or pose another security concern.
The challenge for many agencies, however, is they’re struggling to understand what data they have let alone what data is already in the public domain.
According to the policy, “it is the responsibility of each agency to perform the necessary analysis and comply with all applicable laws, regulations, and policies. In some cases, this assessment may affect the amount, type, form, and detail of data released by agencies.”
There’s a natural tension between releasing open data and securing it, said Donna Roy, an executive director in the Department of Homeland Security’s Information Sharing Environment Office.
Agencies have been instructed to:
- Collect or create only that information necessary for the proper performance of agency functions and has practical utility.
- Limit the collection or creation of information that identifies individuals to what is legally authorized and necessary for the proper performance of agency functions.
- Limit the sharing of information that identifies individuals or contains proprietary information to what is legally authorized.
Agencies are anxiously awaiting governmentwide standards for securing smartphones and tablet computers.
Come May, they will have a checklist of security standards to use, organized by the sensitivity of data employees share or access on mobile devices and who data is shared with, whether another federal agency or citizens.
Federal officials working on the project refer to the guidelines as a playbook or list of security standards that agencies should consider when using mobile devices. The playbook will include five common ways that most agencies use mobile devices and provide recommendations for securing devices in those environments, said Margie Graves, deputy chief information officer at the Department of Homeland Security.
Graves, who spoke at mobile security event Thursday, is working with the National Institute of Standards and Technology, the Defense Department and the Justice Department to develop the playbook.
The security standards are based on revised NIST standards released Tuesday for final comment. Ron Ross, a senior computer scientist and information security researcher at NIST, said the final document is expected in April.
While many of the existing NIST standards can be applied to mobile devices, some may not be applicable, Ross said. For example, one NIST security standard recommends agencies disable or restrict unnecessary functions or services that their information systems may provide. For mobile devices, that may mean restricting what applications employees can download or disabling mobile capabilities that aren’t needed for work and could be a security risk.
DHS’ Graves described the playbook as an itemized checklist of security standards categorized by use case. However, she wouldn’t provide details on the use cases. DHS CIO Richard Spires has said these standards will help agencies in developing bring-you-own-device programs, where employees are able to use their personal devices for work.
How agencies implement or tailor security standards to meet their needs will vary, Graves said. For instance, the intelligence community, law enforcement agencies and DoD may use similar use cases for mobile, while DHS’ Federal Emergency Management Agency would need to use mobile devices to communicate with the public during a natural disaster.
Some guidance will be released in March on how agencies can best secure mobile devices used for communicating with other agencies. The entire playbook, however, will not be released until May.
As Congress and the administration grapple with how best to cut the federal deficit, a group of industry and government leaders are suggesting that information technology be used to reduce that number by billions of dollars.
The American Council for Technology and Industry Advisory Council’s (ACT-IAC) Institute for Innovation on Tuesday released recommendations for the Obama administration to cut the deficit by $220 billion annually through increased use of data analytics and industry best practices. ACT-IAC is public-private partnership focused on helping government use technology to serve the public.
More than 100 volunteers from government and industry provided input for ACT-IAC’s first Quadrennial Government Technology Review, a series of reports detailing how IT can be used to solve the nation’s most challenging issues such as rising healthcare costs, citizen services and a lack of qualified workers for science and technology-related jobs.
Here’s a very high-level explanation from ACT-IAC on how it arrived at $220 billion in annual savings:
- $70 billion by using big data analytics creatively in the federal healthcare space, based on numbers from the McKinsey Global Institute. McKinsey estimates that the nation’s healthcare sector could save $300 billion anually through big data, and $70 billion is the federal sector.
- $50 billion by using enhanced IT tools to better share, access and analyze data to reduce improper payments and uncollected taxes. In the report, ACT-IAC backs this claim using IRS reports that the amount of uncollected taxes is $385 billion and improper payments made by the federal government total more than $100 billion a year. The group suggests that IT tools could reduce the overall number by 10 percent.
- $100 billion by investing in technology to increase productivity and reduce costs, based on industry best practices. These savings are a fraction of the total $970 billion that government could save over 10 years by adopting industry best practices identified in the report.
|Streamline Government Supply Chain||$500B|
|Monetize Government Assets||$150B|
|Reduce Field Operations/Self Serve||$50B|
|Shared Mission Support||$50B|
|Reduce Energy Usage||$20B|
Most federal information technology executives are not involved in their department’s succession planning activities, according to a new workforce study.
The 25 IT executives included in the ACT-IAC (American Council for Technology and Industry Advisory Council) study said their agency’s succession planning program and human capital resource management strategy were either partially developed or poorly developed or non-existent. Seventy percent said they were not included in succession planning discussions.
None of the 16 human capital executives surveyed had metrics that measured whether their agency’s succession, skills and management needs were being met.
”The human capital practitioners felt as though they are delivering succession planning programs as they are required to do by the Office of Personnel Management,” Dr. Susan Grunin, who chairs the ACT-IAC group that commissioned the study, said in a statement. “However, one of the key results we found is that many IT operational managers are not aware these program[s] exist in their areas. If they are aware, many find them to be ineffective at producing managers capable of executing agency initiatives.”
Other findings include:
- Intra-agency succession planning does not happen uniformly across government.
- Internal communications in this area are often ineffective.
- Some agency IT operational managers develop and use their own internal succession planning processes.
However, NASA and Commerce Department were touted as having good succession planning structures that require senior officials to develop, maintain and operate human capital programs based on the agency’s goals and objectives. Both programs allow management at multiple levels to provide feedback.
In a TechAmerica CIO survey released in May, the IT trade organization found that 52 percent of CIOs do not have formal succession plans to replace retiring leaders and top managers. The consequence of not doing so could mean a downward spiral in IT leadership capability, according to TechAmerica.
In its study, ACT-IAC recommends that agencies:
- Publicize their management development and succession planning widely. NASA uses monthly reports, video-conferencing and intranet sites to get the word out.
- Include rotational assignments for their managers as part of succession planning.
- Train new agency leaders on the purpose and benefits of succession planning.
The study also recommends that OPM provide a virtual or in-person succession planning forum for agencies to learn best practices and updates on succession planning policies.