U.S. Department of Labor E-Government Strategic Plan
Successfully implementing E-Government requires a level of trust on the part of all transacting parties. Government agencies, private businesses, and individual citizens must believe that electronic execution of private and/or sensitive transactions (such as providing regulatory data, bidding on a contract, or making a benefit claim) will be conducted in a way that ensures protection of information. E-Government security and privacy protection activities address the protection of the government assets involved in E-Government. These actions protect and defend information and information systems by ensuring confidentiality, availability, integrity, authentication, and non-repudiation.
This section addresses development of DOLs z E-Government security and privacy framework, implementation of PKI, and assessment of the impact of privacy issues related to IT systems. As with the other components of the E-Government Framework, these activities demonstrate how the Department is implementing the Presidents Management Agenda.
Consistent with its approach to other major elements of the E-Government Framework, the Department is taking a phased approach to its security and privacy efforts. During the first phase, DOL developed a comprehensive cyber security program in accordance with Federal legislation and policies, including the Federal Information Security Management Act of 2002 (FISMA - Title III of the E-Government Act of 2002) and the Privacy Act of 1974. Accomplishments include the following:
- Conducting risk assessments of the Departments major applications, general support systems, and financial systems, resulting in a better understanding of security risks and an improved ability to address them
- Developing system security plans for major applications, general support systems, and financial systems
- Developing an enhanced computer security awareness training plan
- Demonstrating compliance with the National Institute of Standards and Technology (NIST) Security Self-Assessment Guide (NIST 800-26) self-assessment methodology at Levels 1 and 2, with substantial compliance at Levels 3 and 4
- Establishing the plans of action and milestones (POA&M) reporting process; coordinating the annual review cycle with Inspector General audits; and integrating POA&M reporting into the IT investment management process
- Issuing the systems development life-cycle methodology, which integrated IT security into each phase of the projects life cycle
- Developing the security and privacy IT budget crosscut fund
- Issuing revised DOL policy for computer security
- Developing computer security guidance and issuing the Computer Security Handbook
- Initiating development of privacy impact criteria, which will be integrated into the vulnerability assessment process.
During the first phase of its security and privacy efforts, DOL successfully completed security baselining in accordance with NIST 800-26 guidelines. This assessment process showed that the Department was fully compliant with Level 1 and Level 2 of the NIST self-assessment (framework policies and procedures have been documented at the departmental level). The Department also showed that it was substantively compliant with Levels 3 and 4 of the NIST framework through the implementation of procedures and testing at the component agency level. That baselining effort has provided a foundation for better measurement and comparison of risk across the Department, improved allocation of resources for mitigation of the highest level risks, linking of security improvement efforts to the DOL enterprise architecture, and validation of the Departments capability to incorporate E-Government security requirements.
During Phase II, DOL will conduct ongoing vulnerability analyses for a majority of systems, continue implementation of the Computer Security Awareness Program, and develop plans for higher degrees of compliance with the NIST self-assessment framework. As DOLs security and privacy program continues, the Department will continue to focus on the integration of IT security into E-Government-related processes such as the systems development life-cycle methodology and the IT capital planning and budget process.
The Department is progressing in its implementation of the security and privacy framework, as evidenced by DOLs receipt of the second highest overall grade and the highest of any cabinet department in a report on Federal computer security by the House Government Reform Committees Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations6.
In establishing an overall electronic signature capability, the Department is implementing a common PKI capability across the enterprise. The project ultimately will provide capabilities to address the internal PKI needs of the Department. In many instances, this PKI implementation will replace existing methods of authentication, provide improved encryption capabilities, and provide a reliable method of electronic signature. Some examples of intended use include desktop, remote access, and Web site authentication; file and e-mail encryption; and eSignature of forms, files, and e-mail. The PKI implementation will support, and in some cases require the use of, smart cards as the storage medium for certificates certificates issued to provide portability and improved security of subscribers private keys. The PKI effort will meet departmental agencies long-term needs for security and E-Government. It will be flexible enough to promote agency mission needs but sufficiently rigorous to provide security for the Departments most sensitive information. Finally, the Departments PKI efforts will be consistent with the eAuthentication PPI.
The Department will develop and implement an IT privacy impact assessment methodology, consistent with the requirements of the E-Government Act of 2002.
Using the Internal Revenue Services Privacy Impact Assessment as a model, the Department will develop a system-level questionnaire based on strategic policies, procedures, and industry best practices, mapped to a core set of widely accepted privacy principles. The assessment questionnaire will use a standardized self-assessment approach to determine whether the Department is meeting Federal privacy requirements and internal agency rules. Because the state of an agencys privacy requirements and activities may change over time, the methodology devised for the questionnaire will have the flexibility needed to evaluate this constantly changing privacy landscape.
The goals of the self-assessment methodology will be to provide the Department with a current snapshot of an agencys privacy efforts at the system level, to map compliance activities to specific regulatory and statutory requirements, and to create a gap analysis. Such information should enable the Department to mitigate privacy risks, liability, and exposure to achieve public trust and confidence.
6 This report is available at http://reform.house.gov/gefmir/hearings/2002hearings/1119_computer_secur...