New OMB guidance clarifies how agencies should prepare for, respond to data breaches
A new White House memorandum seeks to clarify how federal agencies should be preparing for and responding to a breach.
The Office of Management and Budget memo released Tuesday is replacing three outdated memos, one from 2007 and two from 2006. It doesn’t address specific policy on information security or technical methods to control or detect incidents, but it does offer a “a framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach,” and guidance on whether and how to notify people and offer support services.
The policy comes after the House Oversight and Government Reform Committee reported in September that the historic data breach at the Office of Personnel Management was the result of failed leadership and consistent cybersecurity ignorance.
[Read more: Report: ‘Failure of OPM’s leadership’ led to historic data breaches]
That report called for the OMB to develop certification requirements that include requirements for reporting breaches to a federal cybersecurity center and notifying people whose personally identifiable information might have been compromised.
The memo released this week offers guidance for reporting breaches and notification, and also outlines some requirements for contracts, including the contracting language that should be included to ensure that agencies can respond properly to a breach when a contractor collects or maintains information on behalf of an agency.
Back in 2014 the GAO also identified a need for further guidance from OMB on data breaches, in a report that said that agencies might not be taking corrective actions consistently to limit the risk of personally identifiable information data breach incidents because of incomplete guidance from OMB.
[Read more: GAO: Federal agencies putting personal data at risk]
The report recommended OMB’s policy include guidance on notifying affected people based on a risk level, criteria for whether or not to offer help and revised reporting requirements to US-CERT.
For now it is unclear if this new policy adequately addresses all of the concerns identified in the 2014 report, or in the Oversight committee report.
The memo requires each agency’s Senior Agency Official for Privacy to update within 180 days their agency’s breach response plan and give it to OMB.
Contact Samantha via email at samantha.ehlinger@fedscoop.com, or follow her on Twitter at @samehlinger. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.