Some personally identifiable information about federal employees will be collected by the latest phase of the federal government’s Continuous Diagnostics and Mitigation program — under which the Department of Homeland Security buys and deploys computer network security and monitoring tools for U.S. agencies and departments — but all of it will be held at the department level and not reported to DHS, a new privacy study found.
The mandatory Privacy Impact Assessment was conducted by the DHS privacy office and published Friday. It assesses the completed first phase of CDM, the in-progress second phase and the forthcoming third phase. Each stage delivers different capabilities for network monitoring and security to departments where CDM is deployed and to the U.S. government as a whole through the DHS federal dashboard.
“CDM tools enable [each] department and agency to view customized reports in a dashboard that alerts security personnel to their worst and most critical cyber risks,” explains the PIA. “Summary information from individual department and agency dashboards feeds into the federal dashboard, managed by [DHS’ Office of Cybersecurity and Communications] to inform and prioritize cyber risks across the federal government.”
Phase two involves several capabilities which will collect a limited amount of personally identifiable information, or PII, about federal employees, the assessment says, but “no PII is returned to [the Office of Cybersecurity and Communications]. Only high level summary data from each participating department and agency will be provided to the CS&C-managed federal dashboard.”
Phase two involves capabilities designed to help departments and agencies manage access to their networks by ensuring that user credentials and account privileges “are properly created and maintained, and that appropriate security training is occurring.” These include the following four capability areas, according to the PIA:
- Access Control Management (TRUST): Used to validate a person’s identity and the degree to which he or she has been vetted.
- Security-Related Behavior Management (BEHAVE): Identifies that the individual has the proper knowledge and training for the roles to which he or she is assigned and that the training remains current.
- Privileges (PRIV): Establishes the rights granted to individuals to access certain areas within the system.
- Credentials and Authentication Management (CRED): Binds a type of credential or authentication mechanism to an identity established in TRUST with a level of assurance and is used by the agencies to grant physical and logical access.
In each department or agency implementing CDM, phase two tools “will collect information pertaining to an individual’s suitability and validity dates, clearance levels and validity dates, and training levels and completion dates,” the assessment states, adding that “Agencies already have access to this data.”
“Information regarding the content of the suitability or clearance levels, however, is not collected by the CDM tools or returned to [DHS],” the assessment continues.
“No PII is collected or maintained by the federal dashboard, but is instead collected and maintained by the individual departments’ and agencies’ implementation of CDM,” the assessment concludes.