Skip to main content

Privacy: Dedicated Leadership Can Improve Programs and Address Challenges

GAO-22-105065 Published: Sep 22, 2022. Publicly Released: Sep 22, 2022.
Jump To:

Fast Facts

Federal agencies that collect personally identifiable information—such as birthplaces and Social Security numbers—are required to establish programs to protect it.

The 24 agencies we examined had designated a senior agency official for privacy, as required. However, these officials may have numerous other duties and may not bring a needed focus on privacy. They generally delegated many aspects of privacy programs to less-senior officials.

We recommended that Congress consider legislation to designate dedicated, senior-level privacy officials. We also made more than 60 other recommendations to strengthen agency privacy programs.

A graphic of a phone, which shows a colorful padlock on the screen, surrounded by illustrated eyes.

Skip to Highlights

Highlights

What GAO Found

The 24 Chief Financial Officer (CFO) Act of 1990 agencies varied in the extent to which they addressed key practices for implementing privacy programs:

  • Agencies generally established policies and procedures for key privacy activities. These included developing system of records notices, to identify personal data collected and how they are used; conducting privacy impact assessments; and documenting privacy program plans.
  • Agencies varied in establishing policies and procedures for coordination between privacy programs and other agency activities, such as information security, budget and acquisition, workforce planning, and incident response.
  • Many agencies did not fully incorporate privacy into their risk management strategies, provide for privacy officials' input into the authorization of systems containing personally identifiable information (PII), and develop a privacy continuous monitoring strategy.

Extent to Which 24 Chief Financial Officers Act of 1990 Agencies Addressed Key Practices for Establishing a Privacy Program

Extent to Which 24 Chief Financial Officers Act of 1990 Agencies Addressed Key Practices for Establishing a Privacy Program

Without fully establishing these elements of their privacy programs, agencies have less assurance that they are consistently implementing privacy protections.

Agencies most frequently cited the following challenges in implementing their privacy programs (see table). Additional information sharing could help agencies address selected challenges.

24 Chief Financial Officer Act of 1990 Agency Challenges in Implementing Privacy Programs

Challenge

Number of agencies reporting challenge

Having sufficient resources

21

Applying privacy requirements to new technologies

20

Hiring privacy personnel

17

Integrating privacy and security controls

16

Coordinating with other agency offices and programs

15

Ensuring agency programs are implementing privacy requirements

15

Retaining privacy personnel

15

Training privacy professionals

14

Source: GAO analysis of agency data. | GAO-22-105065

Agencies and privacy experts identified benefits of privacy impact assessments, including providing public information and managing risks. However, they also identified factors that can limit the assessments' effectiveness. These include agencies not always initiating privacy impact assessments early enough to affect program decisions; privacy programs not aware of all agency systems with PII; and privacy programs unable to hold agency staff accountable for developing privacy impact assessments.

Addressing key privacy program practices, program challenges, and privacy impact assessment effectiveness requires significant leadership commitment at agencies. In accordance with Office of Management and Budget (OMB) guidance, the 24 agencies have each designated a senior agency official for privacy. However, most of these officials do not have privacy as their primary responsibility and have numerous other duties relating to, for example, managing IT and information security. Officials with primary duties other than privacy are unlikely to spend a majority of their time focused on privacy, and agencies generally delegated operational aspects of their privacy programs to less-senior officials. This makes it less likely that the senior agency officials for privacy will focus their attention on privacy in discussions with other senior agency leaders.

The shortcomings in agency policies and challenges they reported could be better addressed by a senior-level official with privacy as a primary area of responsibility. In particular, such an official could be better positioned to ensure a consistent focus on privacy at the level of senior leadership, facilitate cross-agency coordination, and elevate the importance of privacy. OMB privacy staff stated that they believed codifying a dedicated senior privacy official in statute would strengthen agency programs and better enable them to address challenges. In addition, several agency officials and privacy experts noted that a senior agency leader dedicated to privacy could better ensure cross-agency coordination and elevate the importance of privacy. Establishing such a position in law could enhance the leadership commitment needed to give attention to privacy issues across the government.

Why GAO Did This Study

The protection of personal privacy has become a more significant issue in recent years with the advent of new technologies and the proliferation of personal information. Federal agencies collect and process large amounts of PII for various government programs. Accordingly, they must ensure that any PII they collect, store, or process is protected from unauthorized access, tampering, or loss.

Federal agencies are required to establish privacy programs for the protection of PII that they collect and process. Among other things, this includes designating a senior agency official for privacy with overall responsibility for the agency's privacy program. In addition, agencies are to conduct privacy impact assessments to analyze how personal information is collected, stored, shared, and managed in a federal system.

GAO was asked to review federal agencies' privacy programs. This report examines (1) the extent to which agencies have established programs for ensuring privacy protections; (2) challenges agencies reported experiencing in implementing their privacy programs; (3) reported benefits and limitations in agencies' use of privacy impact assessments; and (4) the extent to which agencies have senior leadership dedicated to privacy issues.

To do so, GAO compared policies and procedures at the 24 CFO Act agencies to key practices for establishing privacy programs. These practices included privacy compliance activities, coordination between privacy and other agency programs or functions, and activities to manage privacy risks.

In addition, GAO surveyed the 24 agencies on benefits and limitations of privacy impact assessments, and on challenges in implementing their privacy programs. GAO also interviewed privacy experts, relevant agency officials, and staff at OMB's privacy branch.

Recommendations

GAO is recommending one matter for congressional consideration, that Congress consider legislation to designate a dedicated, senior-level privacy official at agencies that currently lack one. GAO is also making two recommendations to OMB to facilitate information sharing to help agencies address selected challenges and better implement privacy impact assessments.

Finally, GAO is making 62 recommendations to selected agencies to fully implement key practices for their privacy programs. This includes fully establishing policies and procedures for coordination between privacy programs and other agency functions and incorporating privacy into risk management activities.

Twenty agencies, including OMB, agreed with the recommendations, and several described planned actions to implement them. One agency did not explicitly state whether it agreed with the recommendations, but generally agreed with the report. One agency disagreed with the recommendations, while another disagreed with some recommendations and partially agreed with others. Two agencies stated that they had no comments on the report. GAO continues to believe all of its recommendations are warranted.

Matter for Congressional Consideration

Matter Status Comments
Congress should consider legislation to designate a senior privacy official, such as a chief privacy officer, at agencies that currently lack such a position. This position should have privacy as its primary duty, the organizational placement necessary to coordinate with other agency functions and senior leaders, and the authority to ensure that privacy requirements are implemented and privacy concerns are elevated to the head of the agency.
Open
As of May 2024, legislation has been introduced in both the House of Representatives and Senate (H.R. 4552 and S. 2251) that would establish the role of a senior privacy official at federal agencies. Specifically, the Federal Information Security Modernization Act of 2023 would, among other things, require the head of each agency to designate a chief privacy officer who would be responsible for leading the agency's privacy program, serve in a central leadership position in the agency, and be positioned to engage with other senior agency leaders, including the head of the agency. We are continuing to monitor the status of this draft legislation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should take steps to promote, through the Federal Privacy Council or other channels, sharing of information and best practices to help agencies address challenges identified in this report, including the application of privacy requirements and risk management to new and emerging technologies and integrating security and privacy controls. (Recommendation 1)
Open
OMB's Office of Information and Regulatory Affairs stated it agreed with our recommendation and would take steps to address it. As of March 2024, OMB had not provided documentation of actions taken to address this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
Office of Management and Budget The Director of OMB should take steps to promote, through the Federal Privacy Council or other channels, the sharing of information, best practices, and other resources related to conducting privacy impact assessments. (Recommendation 2)
Open
OMB's Office of Information and Regulatory Affairs stated it agreed with our recommendation and would take steps to address it. As of March 2024, OMB had not provided documentation of actions taken to address this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
Department of Agriculture The Secretary of Agriculture should document program management controls and common privacy controls in place or planned for meeting applicable requirements and managing risks. (Recommendation 3)
Closed – Implemented
The Department of Agriculture stated that it generally agreed with the findings and recommendations in our report. In July 2023, USDA updated its privacy program plan, which specifies that the senior agency official for privacy designates which privacy controls the department will treat as program management, common, information system-specific, and hybrid controls. In addition, USDA's privacy controls implementation guidance designates each privacy control as program management, common, hybrid, or system specific. Accordingly, we consider this recommendation to be implemented. By taking these steps, USDA has increased assurance that privacy protections are consistently implemented across the organization and privacy risks are effectively managed.
Department of Agriculture The Secretary of Agriculture should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 4)
Closed – Implemented
The Department of Agriculture stated that it generally agreed with the findings and recommendations in our report. In July 2023, USDA updated its privacy program plan, and the plan specifies that the senior agency official for privacy reviews IT capital investment plans and budgetary requests to ensure that privacy requirements and associated privacy controls, as well as any associated costs, are explicitly identified and included, with respect to any IT resources that will be used to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of personally identifiable information. For IT acquisitions, the USDA Privacy Office has provided privacy-related questions for, and participates in departmental capital planning and investment planning, as well as agency information technology portfolio reviews. Accordingly, we consider this recommendation to be implemented. By taking these steps, USDA is better positioned to ensure privacy requirements and associated controls are identified and included for IT resources that involve PII.
Department of Agriculture The Secretary of Agriculture should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 5)
Closed – Implemented
The Department of Agriculture stated that it generally agreed with the findings and recommendations in our report. In July 2023, USDA updated its privacy program plan, and the plan specifies that the senior agency official for privacy (SAOP) assesses and addresses the hiring, training, and professional development needs of the department with respect to privacy. Additionally, the SAOP coordinates with the Chief Information Officer and Chief Human Capital Officer to maintain and enhance a current workforce planning process, maintain workforce skills, recruit and retain privacy and IT professionals, develop a set of competency requirements for staff, and ensure managers are aware of flexible hiring authorities. Accordingly, we consider this recommendation to be implemented. By taking these steps, USDA is better positioned to identify staffing needs and ensure a qualified privacy workforce.
Department of Agriculture The Secretary of Agriculture should establish a time frame for incorporating privacy into an organization-wide risk management strategy that includes a determination of risk tolerance, and develop and document this strategy. (Recommendation 6)
Open
The Department of Agriculture stated that it generally agreed with the findings and recommendations in our report. As of February 2023, the department stated that its Office of Budget and Program Analysis will incorporate privacy and a process for developing risk tolerance into the USDA Enterprise Risk Management strategy through departmental guidance. It estimated completing these efforts by the end of December 2023. As of March 2024, USDA had not provided additional evidence of these actions. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Agriculture
Priority Rec.
The Secretary of Agriculture should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 7)
Closed – Implemented
The Department of Agriculture stated that it generally agreed with the findings and recommendations in our report. In July 2023, USDA provided updated procedures for its risk management process that specify the role of the senior agency official for privacy and other officials in key risk management steps. Specifically, the procedures define the role of the SAOP in approving security categorizations for systems that contain personally identifiable information (PII), overseeing privacy control assessments, and reviewing system authorization packages. Accordingly, we consider this recommendation to be implemented. By taking these steps, USDA is better able to ensure privacy protections are adequately incorporated into systems with PII.
Department of Agriculture The Secretary of Agriculture should establish a time frame for fully developing a privacy continuous monitoring strategy, and develop and document this strategy. (Recommendation 8)
Closed – Implemented
The Department of Agriculture stated that it generally agreed with the findings and recommendations in our report. In May 2023, USDA developed a privacy continuous monitoring strategy that outlines its approach to ensuring that privacy controls are in place and operating as intended. Among other things, the strategy outlines the roles and responsibilities of the department's senior agency official for privacy and chief privacy officer and specifies the frequency at which privacy controls will be assessed on an ongoing basis. Accordingly, we consider this recommendation to be implemented. By taking these steps, USDA increases its ongoing awareness of the state of its privacy controls, which is necessary to support decisions for adequately protecting personally identifiable information.
Department of Commerce
Priority Rec.
The Secretary of Commerce should ensure that its organization-wide risk management strategy includes key elements, including a determination of privacy risk tolerance. (Recommendation 9)
Open
The Department of Commerce agreed with our recommendation and stated that it planned to develop a formal action plan. As of March 2024, Commerce officials stated that they planned to develop a privacy risk management strategy by the fourth quarter of fiscal year 2024 . Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Defense
Priority Rec.
The Secretary of Defense should establish a time frame for fully defining a process to ensure that the senior agency official for privacy or other designated senior privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy, and document this process. (Recommendation 10)
Open
The Department of Defense concurred with our recommendation. As of April 2024, DOD had drafted an update to its policy that assigns responsibility for hiring, training, and professional development of privacy staff to its Senior Component Officials for Privacy. However, this policy had not yet been finalized. DOD officials said they expected to finalize this policy update in the fall of 2024. Once the department states that it has taken action, we plan to verify that implementation has occurred.
Department of Defense The Secretary of Defense should establish a time frame for incorporating privacy into an organization-wide risk management strategy that includes a determination of risk tolerance, and develop and document this strategy. (Recommendation 11)
Closed – Implemented
The Department of Defense concurred with our recommendation. In April 2024, DOD provided updated policies, including its guidance on implementing risk management practices, that outline its strategy for managing privacy risks. In particular, DOD's risk management instruction provides guidance on the approach and steps needed to incorporate privacy risk responsibilities, tasks, and outcomes as DOD components conduct their risk assessments. Among other elements, the instruction includes guidance on applying operational risk tolerances into security authorization baselines, as applicable. DOD guidance further requires DOD component officials to implement a risk management framework to guide and inform the categorization of federal information and information systems; the selection, implementation, and assessment of privacy controls; the authorization of information systems; and the continuous monitoring of information systems. Accordingly, we consider this recommendation to be implemented.
Department of Defense The Secretary of Defense should establish a time frame for fully developing a privacy continuous monitoring strategy, and develop and document this strategy. (Recommendation 12)
Open
The Department of Defense concurred with our recommendation. As of April 2024, DOD had provided updates on its efforts to implement this recommendation. We are continuing to follow up with the department to verify whether implementation has occurred.
Department of Education
Priority Rec.
The Secretary of Education should establish a time frame for updating the department's policies for creating, reviewing, and publishing system of records notices, and make these updates. (Recommendation 13)
Open
The Department of Education concurred with our recommendation and described plans under way to address it. As of March 2024, Education reported that it has begun updating existing privacy policies, including those establishing and administering the privacy program, and plans to complete this effort by the end of July 2026. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Energy The Secretary of Energy should establish a time frame for fully defining a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy, and document this process. (Recommendation 14)
Open
The Department of Energy concurred with our recommendation and described planned actions to implement it. In April 2024, DOE stated that it had taken action to address this recommendation, pending internal review. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Energy The Secretary of Energy should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 15)
Open
The Department of Energy concurred with our recommendation and described planned actions to implement it. In April 2024, DOE stated that the Privacy Office will work collaboratively with the Office of Cybersecurity to ensure Privacy is incorporated into the overall organization wide risk management strategy including a determination of risk tolerance for Privacy related risks, consistent with the approach outlined in the newly released DOE Privacy Order. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Energy
Priority Rec.
The Secretary of Energy should establish a time frame for fully defining the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 16)
Open
The Department of Energy concurred with our recommendation and described planned actions to implement it. In April 2024, DOE stated that it had taken action to address this recommendation, pending internal review. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Health and Human Services
Priority Rec.
The Secretary of Health and Human Services should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 17)
Open
The Department of Health and Human Services concurred with our recommendation and described actions planned to address it. Specifically, the department stated that it planned to more fully define and document the responsibility and process of the senior agency official for privacy in the next iteration of its Policy for Information Security and Privacy Protection. As of February 2024, HHS stated that it was actively working to implement the recommendation but did not provide further details or an estimated completion date. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Homeland Security The Secretary of Homeland Security should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 18)
Closed – Implemented
The Department of Homeland Security concurred with our recommendation and its Privacy Office issued the 2024 Risk Assessment Strategy, in August of that year. The strategy is intended to provide the Privacy Office with the necessary steps to incorporate privacy risk responsibilities, tasks, and outcomes for all DHS privacy-sensitive activities. Further, the strategy specifies how privacy-related risks are to be assessed and responded to, including how risk tolerance is to be established. Accordingly, we consider this recommendation implemented. By taking these steps, DHS will have greater assurance that it is managing privacy risks within acceptable thresholds.
Department of Homeland Security
Priority Rec.
The Secretary of Homeland Security should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. (Recommendation 19)
Closed – Implemented
The Department of Homeland Security (DHS) concurred with our recommendation and provided documentation of its implementation efforts. In December 2023, DHS provided evidence demonstrating that the Chief Privacy Officer (CPO), or other privacy staff, were involved in reviewing system categorizations, assessments of privacy controls, and authorized-to-operate (ATO) packages. Specifically, DHS issued guidance which stated that the categorization of a system is a coordinated effort between the privacy point of contact and several other senior-level information system managers, officers, and data owners. Additionally, DHS guidance defined the CPO as responsible for the implementation of security and privacy controls guidance as defined by the National Institution of Standards and Technology (NIST). The authority for selection and assessment of privacy controls ultimately rests with the CPO, who is also responsible for reviewing and approving, as appropriate, privacy control assessments and overseeing all privacy control compliance. Further, DHS guidance stated that ATO is not issued without the DHS Chief Privacy Officer's approval, which signifies that a system is in compliance with NIST. Accordingly, we consider this recommendation to be implemented. DHS has fully defined and documented the role of the senior agency official for privacy and other designated privacy officials.
Department of Homeland Security The Secretary of Homeland Security should fully develop and document a privacy continuous monitoring strategy. (Recommendation 20)
Closed – Implemented
The Department of Homeland Security concurred with our recommendation and described plans to implement it. As of March 2024, DHS had documented procedures for its PRIVCATS system, which provides a DHS-wide approach to tracking compliance with privacy requirements, inclusive of all privacy controls. DHS also provided evidence that it has cataloged available privacy controls, and these are to be assessed at least every three years. Accordingly, we consider this recommendation to be implemented. By taking these steps, DHS is better positioned to maintain ongoing awareness of the status of privacy controls, which is necessary for adequately protecting personally identifiable information.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 21)
Open
The Department of Housing and Urban Development did not concur with this recommendation, stating that the HUD privacy office participates in the Office of the Chief Information Officer's Configuration Change Management Board and Technical Review Subcommittee. However, based on documentation provided by HUD, it was not clear that this role involved reviewing IT capital investment plans and budgetary requests. We intend to follow up with the department, and once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Housing and Urban Development
Priority Rec.
The Secretary of Housing and Urban Development should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 22)
Open
The Department of Housing and Urban Development did not concur with this recommendation, stating that privacy risks at the enterprise level are addressed through the department's Risk Management Council. However, while a dedicated risk management council can be an important tool for managing agency risks, it does not replace the need for a documented risk management strategy in which the agency explicitly frames its approach to privacy risk. We intend to follow up with HUD, and once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should establish a time frame for fully developing a privacy continuous monitoring strategy, and develop and document this strategy. (Recommendation 23)
Closed – Implemented
As of March 2024, HUD providing a continuous monitoring strategy that assigns responsibilities for implementing and maintaining privacy controls, as well as establishing the frequency at which these controls are to be assessed. Accordingly, we consider this recommendation to be implemented. By taking these steps, HUD is better positioned to maintain ongoing awareness of the state of its privacy controls, which will help ensure the protection of personally identifiable information.
Department of the Interior
Priority Rec.
The Secretary of the Interior should establish a time frame for incorporating privacy into an organization-wide risk management strategy that includes a determination of risk tolerance, and develop and document this strategy. (Recommendation 24)
Closed – Implemented
The Department of the Interior concurred with our recommendation. In March 2024, Interior provided its updated Enterprise Cybersecurity and Privacy Risk Management Strategy, issued in December 2023. This strategy incorporates privacy and includes key elements such as a discussion of risk tolerance and how the department will assess, respond to, and monitor privacy risks. Accordingly, we consider this recommendation to be implemented. By taking these steps, Interior is better positioned to ensure that it is managing privacy risks within acceptable thresholds.
Department of Justice
Priority Rec.
The Attorney General should incorporate privacy into an organizationwide risk management strategy that includes a determination of risk tolerance. (Recommendation 25)
Open
The Department of Justice did not concur with this recommendation, stating that its existing strategy documents address how it manages privacy risk, including a determination of risk tolerance. As of March 2024, DOJ had provided documents outlining its approach to managing privacy risks. However, they did not include key details such as a discussion of the department's approach to determining privacy risk tolerance, including, for example, factors to be considered and acceptable amounts of risk. According to DOJ officials, while discussions regarding risk thresholds, or the acceptable level of risk for a given activity, have occurred in a number of areas, the department is still working toward developing a department-wide risk tolerance statement. Once the department states that it has taken additional actions, we intend to verify whether implementation has occurred.
Department of Justice The Attorney General should establish a time frame and fully develop and document a privacy continuous monitoring strategy. (Recommendation 26)
Open
The Department of Justice did not concur with this recommendation, stating that DOJ components must assess all security and privacy controls employed by an information system during initial authorization and assess a subset of controls during continuous monitoring on an ongoing basis. However, documentation provided by DOJ did not specify the frequency with which the department plans to assess each privacy control at the various risk management tiers. Accordingly, we continue to believe our recommendation is warranted. As of March 2024, the department had not provided further updates on actions taken to address this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Labor The Secretary of Labor should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 27)
Open
The Department of Labor stated that it concurred with our recommendation and would take steps to address it. As of March 2024, the department had not provided further updates on actions taken to address this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Labor The Secretary of Labor should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 28)
Open
The Department of Labor stated that it concurred with our recommendation and would take steps to address it. As of March 2024, the department had not provided further updates on actions taken to address this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Labor
Priority Rec.
The Secretary of Labor should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. (Recommendation 29)
Open
The Department of Labor stated that it concurred with our recommendation and would take steps to address it. In March 2024, DOL stated that it is establishing a new departmental privacy program in the Office of the Chief Information Officer. As part of this process, DOL is developing new privacy policies that, according to officials, will define the role of privacy officials in these activities. DOL estimated completing this effort by the end of fiscal year 2024. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of State The Secretary of State should establish a time frame for incorporating privacy into an organization-wide risk management strategy that includes a determination of risk tolerance, and develop and document this strategy. (Recommendation 30)
Open
The Department of State concurred with our recommendation and described plans under way to address it. As of March 2024, the department stated it planned to establish a time frame for incorporating privacy into an organization-wide risk management strategy that includes a determination of risk tolerance by April 30, 2024. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of State
Priority Rec.
The Secretary of State should establish a time frames for fully defining and the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 31)
Open
The Department of State concurred with our recommendation and described plans under way to address it. As of April 2024, State noted that it was still finalizing updates to its policies that would address our recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of State The Secretary of State should establish a time frame for fully developing a privacy continuous monitoring strategy, and develop and document this strategy. (Recommendation 32)
Open
The Department of State concurred with our recommendation and described plans under way to address it. As of April 2024, State noted that it was still finalizing updates to its policies that would address our recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Transportation
Priority Rec.
The Secretary of Transportation should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 33)
Open
The Department of Transportation concurred with our recommendation. As of March 2024, DOT officials stated that the Department is in the final stages of documenting its process and is on track to fully implement the recommendation by April 2024. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Transportation The Secretary of Transportation should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 34)
Open
The Department of Transportation concurred with our recommendation. As of March 2024, the department had not provided further updates on actions taken to address this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of the Treasury The Secretary of the Treasury should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 35)
Open
The Department of the Treasury did not state whether it concurred with our recommendation. As of March 2024, Treasury provided an updated privacy directive stating that that the head of each bureau is to ensure the review of bureau capital investment plans, budgetary requests, and acquisitions involving Information Technology to confirm that privacy compliance issues, required controls, and associated costs are identified and explicitly addressed in all plans, requests, and acquisitions with respect to any IT resources that will be used to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of personally identifiable information. However, the directive did not specify which privacy staff are involved in these reviews. We are continuing to follow up with Treasury to ascertain these details.
Department of the Treasury The Secretary of the Treasury should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 36)
Open
The Department of the Treasury did not state whether it concurred with our recommendation. As of March 2024, Treasury had provided an updated privacy directive stating that the head of each bureau is to ensure bureau privacy planning, budgeting, governance, acquisition, and management of personally identifiable information, personnel, equipment, funds, IT resources, and supporting infrastructure and services, including hiring, training, and professional development needs of privacy personnel. However, the directive did not specify the privacy staff to be involved in these activities. We are following up with Treasury to ascertain these details.
Department of the Treasury The Secretary of the Treasury should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 37)
Closed – Implemented
The Department of the Treasury did not state whether it concurred with our recommendation. In March 2024, Treasury provided its Enterprise Privacy Risk Management Strategy, which discusses how Treasury will assess and manage privacy risks, including a discussion of risk tolerance. Accordingly, we consider this recommendation to be implemented. By developing this strategy, Treasury is better positioned to manage privacy risks within acceptable thresholds.
Department of the Treasury
Priority Rec.
The Secretary of the Treasury should establish a time frame for fully defining the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 38)
Open
The Department of the Treasury did not state whether it concurred with our recommendation. As of March 2024, Treasury had provided an updated privacy directive stating that the Chief Information Officer (CIO) is to ensure the notification of the Director for Privacy and Civil Liberties of meetings and document reviews (including IT authorization packages) involving CIO reviews of IT with PII. However, the directive did not specify which privacy officials were to be involved in such reviews. We are following up with Treasury to ascertain these details.
Department of the Treasury The Secretary of the Treasury should fully develop and document a privacy continuous monitoring strategy. (Recommendation 39)
Open
The Department of the Treasury did not state whether it concurred with our recommendation. As of March 2024, Treasury had provided an updated privacy directive stating that the head of each bureau is to ensure the implementation of a bureau (or the departmental) privacy risk management strategy that includes a privacy continuous monitoring component. However, Treasury did not provide examples of the associated continuous monitoring strategies. We are following up with Treasury to ascertain these details.
Department of Veterans Affairs The Secretary of Veterans Affairs should establish a time frame for defining a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests, and document this process. (Recommendation 40)
Open
The Department of Veterans Affairs concurred with this recommendation. As of March 2024, the department stated that it planned to complete actions to address this recommendation by the end of March 2023. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Veterans Affairs The Secretary of Veterans Affairs should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 41)
Open
The Department of Veterans Affairs concurred with this recommendation. As of February 2023, the department stated that it planned to complete actions to address this recommendation by the end of September 2023. However, as of March 2024, the department had not provided additional updates. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Veterans Affairs
Priority Rec.
The Secretary of Veterans Affairs should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 42)
Closed – Implemented
The Department of Veterans Affairs concurred with this recommendation. As of March 2024, VA had provided updated policies and procedures that defined and documented the role of the senior agency official for privacy and other privacy staff in approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. Accordingly, we consider this recommendation to be implemented. By taking these steps VA is better positioned to ensure that privacy protections are adequately incorporated into systems with personally identifiable information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that its privacy continuous monitoring strategy includes a catalog of privacy controls and defines the frequency at which they are to be assessed. (Recommendation 43)
Closed – Implemented
In October 2022, we verified that VA, in response to our recommendation, updated its Privacy Continuous Monitoring Strategy and Privacy Controls Catalog, which outline the department's approach to managing the VA privacy continuous monitoring program, including available privacy controls and the frequency at which they are to be addressed. By taking these steps, VA should have improved awareness of the state of its privacy controls, which is necessary to support decisions for adequately protecting personally identifiable information. Accordingly, we consider this recommendation to be implemented.
Environmental Protection Agency The Administrator of EPA should fully develop and document a privacy continuous monitoring strategy. (Recommendation 44)
Closed – Implemented
The Environmental Protection Agency concurred with our recommendation and described planned actions to address it. As of April 2024, EPA had provided its Information Privacy Continuous Monitoring Strategy, which outlines its approach to monitoring privacy controls on an ongoing basis, as well as documentation outlining the frequency at which controls are to be assessed. Accordingly, we consider this recommendation to be implemented. By taking these steps, EPA is better positioned to achieve ongoing awareness of the state of its privacy controls, which is necessary to support decisions for adequately protecting personally identifiable information.
General Services Administration The Administrator of GSA should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 45)
Closed – Implemented
The General Services Administration stated that it agreed with our recommendation and was developing plans to address it. GSA agreed with this recommendation and in December 2022 provided evidence showing that it had established such a process. Specifically, GSA's IT Capital Planning and Investment Control process requires, among other things, the Senior Agency Official for Privacy to review and approval of budget submissions. Accordingly, we consider this recommendation to be implemented. By defining and documenting this process, GSA is better positioned to ensure privacy requirements and associated controls are explicitly identified and included with respect to any IT resources that will involve personally identifiable information.
General Services Administration The Administrator of GSA should establish a time frame for fully defining a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy, and document that process. (Recommendation 46)
Closed – Implemented
The General Services Administration stated that it agreed with our recommendation and was developing plans to address it. As of February 2024, GSA had defined and documented the role of its senior agency official for privacy and chief privacy officer in assessing and addressing privacy workforce needs. Specifically, the SAOP and CPO assess the agency's privacy workforce needs and advise GSA's Office of Human Resources Management on hiring personnel, in accordance with GSA's Privacy Continuous Monitoring Strategy and the Federal Privacy Council and Office of Personnel Management's "Toolkit for Recruiting, Hiring, and Retaining Privacy Professionals in the Federal Government." Accordingly, we consider this recommendation to be implemented. By taking these steps, GSA is better positioned to identify staffing needs and ensure a well qualified privacy workforce.
General Services Administration
Priority Rec.
The Administrator of GSA should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. (Recommendation 47)
Closed – Implemented
The General Services Administration stated that it agreed with our recommendation. In June 2023, GSA updated its IT Security Procedural Guide: Managing Enterprise Cybersecurity Risk, which defines the GSA cybersecurity risk management process. Among other things, the guide defines and documents the role of the senior agency official for privacy and other privacy officials in key authorization steps, including system categorization, control assessments, and authorization decisions. Accordingly, we consider this recommendation to be implemented. By taking these steps, GSA is better positioned to ensure that privacy protections are consistently applied to systems with personally identifiable information.
National Aeronautics and Space Administration The Administrator of NASA should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 48)
Open
NASA stated that it agreed with our recommendation and was developing plans to address it. As of March 2024, NASA had provided documentation of efforts taken to address this recommendation. We are following up with NASA to collect additional information and verify whether implementation has occurred.
National Aeronautics and Space Administration
Priority Rec.
The Administrator of NASA should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. (Recommendation 49)
Open
NASA stated that it agreed with our recommendation and was developing plans to address it. As of March 2024, NASA had provided evidence to demonstrate actions taken to implement this recommendation. We are following up with NASA to collect additional information and verify whether implementation has occurred.
Nuclear Regulatory Commission The Chairman of NRC should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 50)
Closed – Implemented
The Nuclear Regulatory Commission stated that it agreed with our recommendation and was developing plans to address it. In May 2023, NRC updated its Privacy Program Plan, which, among other things, specifies the responsibilities of the Senior Agency Official for Privacy (SAOP) with respect to workforce management. Specifically, the SAOP is responsible for ensuring that NRC employees have the appropriate training and education concerning privacy laws, regulations, policies, and procedures and working with NRC stakeholders to ensure that vendors/contractors, with access to PII, who engage in business with NRC, abide by federal privacy requirements. In addition, the SAOP is a voting member of the agency's Human Capital Council and collaborates with members of NRC's Executive Leadership to maintain and enhance the workforce planning process, maintain workforce skills, recruit and retain privacy professionals, and develop a set of competency requirements for staff in the NRC's privacy program. Accordingly, we consider this recommendation to be implemented. By taking these steps, NRC is better positioned to identify staffing needs and ensure a well qualified privacy workforce.
Nuclear Regulatory Commission
Priority Rec.
The Chairman of NRC should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. (Recommendation 51)
Closed – Implemented
The Nuclear Regulatory Commission stated that it agreed with our recommendation and was developing plans to address it. In September 2023, NRC provided updated privacy policies and procedures which specify the role of the Senior Agency Official for Privacy (SAOP) in key risk management steps for systems with personally identifiable information (PII). Specifically, according to NRC policy, the SAOP and Privacy Officer are consulted regarding system categorizations; the SAOP oversees privacy metrics and control evaluations for systems with PII; and the SAOP reviews authorization packages for systems with PII. Accordingly, we consider this recommendation to be implementation. By taking these steps, NRC has increased assurance that privacy protections are adequately incorporated into systems with PII.
Office of Personnel Management The Director of OPM should establish a time frame for updating the agency's policy for creating, reviewing, and publishing system of records notices, and make these updates. (Recommendation 52)
Open
The Office of Personnel Management partially concurred with this recommendation, noting that it has a process for system of records notices (SORN) while adding it plans to review and update any outdated SORN guidance. In January 2024, OPM officials stated that while the agency may benefit from an updated policy regarding the System of Records Notices (SORN) process at OPM, they adhere to the requirements of the Privacy Act of 1974 and the Office of Management and Budget Circular A-108 in publishing new or updated SORNs. OPM added that it plans to review the current SORN process and policy documentation by the end of Q2 of FY 24, as operational priorities and resources permit. Once the agency states that it has taken action, we will verify whether implementation has occurred.
Office of Personnel Management The Director of OPM should define and document procedures for coordination between privacy and information security functions. (Recommendation 53)
Closed – Implemented
The Office of Personnel Management partially concurred with this recommendation, noting that it has processes in place for such coordination, while stating that it will evaluate the need for increased documentation of coordination between its privacy and security functions. In April 2024, OPM issued its updated cybersecurity and privacy policy, which documents processes for coordination between privacy and information security functions. For example, the policy provides for the integration of privacy and security controls into a single set to allow for holistic assessments. In addition, the policy defines responsibilities of key officials, such as the Chief Information Officer and Chief Privacy Officer, including collaboration on shared areas of responsibility. Accordingly, we consider this recommendation to be implemented. By taking these steps, OPM is better positioned to consistently consider and incorporate key privacy considerations in security activities.
Office of Personnel Management The Director of OPM should fully define and document a policy and process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 54)
Open
The Office of Personnel Management did not concur with this recommendation, noting that it has processes in place for the senior agency official for privacy's involvement in workforce planning. In particular, the agency described steps it has taken in this area, including developing a memo in 2020 outlining strategic workforce needs for the Office of Privacy and Information Management. However, OPM has not formalized the role of the SAOP in addressing hiring, training, and professional development needs with respect to privacy, helping to insure the privacy program's ability to advocate for the skilled and qualified staff it needs on an ongoing basis. Accordingly, we believe our recommendation continues to be warranted. In January 2024, OPM stated that it will consider formally documenting the SAOP's role in hiring, training, and professional development by the end of fiscal year 2024 as priorities and resources allow. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
Office of Personnel Management The Director of OPM should incorporate privacy into an organizationwide risk management strategy that includes a determination of risk tolerance. (Recommendation 55)
Open
The Office of Personnel Management did not concur with this recommendation, stating that its senior agency official for privacy is a member of the OPM Risk Management Council, which identifies, evaluates, and works to mitigate enterprise-wide risk. However, the agency did not develop a documented risk management strategy in which the agency explicitly frames its approach to privacy risk. Accordingly, we continue to believe our recommendation is warranted. In January 2024, OPM stated that it has incorporated privacy risk and mitigation considerations into its enterprise risk management process, which does include determination of risk tolerance on identified privacy risks. OPM further stated that it plans to continue examining its approach to privacy risk management in fiscal years 2024 and 2025 and will look to expand activities consistent with this recommendation, including continuing to work on implementing the privacy and security controls in NIST 800-53 revision 5. Once the agency states that it has taken action to further document its approach to privacy risk management, we plan to verify whether implementation has occurred.
Office of Personnel Management
Priority Rec.
The Director of OPM should establish a time frame for fully defining the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 56)
Open
The Office of Personnel Management partially concurred with this recommendation, stating that its privacy team is involved in various activities related to this process and its privacy and security teams are currently examining roles and responsibilities with respect to the controls and their selection and evaluation. As of January 2024, OPM stated that in fiscal years 2024 and 2025, OPM will continue to look for opportunities to document the role of the SAOP more fully in these activities and that this should be satisfied by the draft agency-level Cybersecurity and Privacy policy that is currently undergoing internal review. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
Office of Personnel Management The Director of OPM should fully develop and document a privacy continuous monitoring strategy. (Recommendation 57)
Open
The Office of Personnel Management partially concurred with this recommendation, stating that it will further evaluate its approach to privacy continuous monitoring and review the need for more comprehensive documentation. As of January 2024, OPM stated that its privacy and security programs work collaboratively to implement revision 5 of the National Institute of Standards and Technology's Special Publication 800-53, revision 5. OPM added that it plans to further evaluate the agency's approach to continuous monitoring and documentation by Q4 of fiscal year 2024 or Q1 of fiscal year 2025. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
Small Business Administration
Priority Rec.
The Administrator of SBA should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 58)
Open
SBA stated that it agreed with our recommendation and was developing plans to address it. SBA officials told us in March 2023 that the agency was updating its Privacy Program Plan, which would, among other things, delineate hiring, training, and professional development needs of the agency with respect to privacy. We will continue to follow up with SBA on its efforts.
Social Security Administration The Commissioner of SSA should define and document procedures for coordination between privacy and information security functions. (Recommendation 59)
Closed – Implemented
In January 2024, SSA provided its Cybersecurity Senior Advisory Committee charter which defines and documents procedures for coordination between the agency's privacy and information security function. Specifically, the committee will provide expertise and enable coordination to address the cybersecurity and privacy risks that directly impact SSA's mission and strategic objectives. The committee includes core members from SSA's Office of Information Security, Office of Privacy and Disclosure, and the Office of Systems Operations and Hardware Engineering. Accordingly, we consider this recommendation to be implemented. By taking these steps, SSA is better positioned to consistently consider and incorporate key privacy considerations in security activities.
Social Security Administration The Commissioner of SSA should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests to ensure privacy requirements and associated controls are explicitly identified and included with respect to any IT resources that will involve PII. (Recommendation 60)
Closed – Implemented
SSA stated that it agreed with our recommendation and in September 2024 issued its updated Privacy Program Plan, which, among other things, specifies a process for ensuring that IT investment proposals with PII are reviewed by the appropriate privacy personnel. This includes a process for flagging incoming investment proposals to ensure that this review takes place. Accordingly, we consider this recommendation to be implemented. By taking these steps, SSA can better ensure that privacy requirements and controls are explicitly identified and included with respect to any IT resources that will involve PII.
Social Security Administration The Commissioner of SSA should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 61)
Open
SSA stated that it agreed with our recommendation. In January 2024, SSA stated that it plans to develop formal agency policy during fiscal year 2024 to more fully address the role of the senior agency official for privacy in training and workforce development. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
Social Security Administration
Priority Rec.
The Commissioner of SSA should establish a time frame for fully defining the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 62)
Closed – Implemented
SSA stated that it agreed with our recommendation, and in February 2024 documented the assignment of key privacy roles to specified officials. In particular, the senior agency official for privacy delegated categorization reviews, privacy control assessment oversight, and authorization package review to relevant officials with privacy duties. Accordingly, we consider this recommendation to be implemented. By taking these steps, SSA can better ensure that privacy protections are adequately incorporated into systems with personally identifiable information.
U.S. Agency for International Development The Administrator of USAID should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 63)
Closed – Implemented
USAID stated that it agreed with our recommendation and described plans to address it. In February 2023, USAID provided evidence showing that it had taken action to address the recommendation. Specifically, USAID took steps to ensure that its Senior Agency Official for Privacy (SAOP) is included as a permanent voting member of the agency's Information Technology Steering Subcommittee (ITSS). The ITSS is an Agency-wide executive IT investment governance body made up of executive representatives from across the agency participate on the ITSS to provide input on business and program needs and make recommendations on investment priorities. The responsibilities of the SAOP include evaluating the privacy impact of all new technology, including its impact on personally identifiable information (PII). Accordingly, we considered this recommendation to be implemented. By establishing this process, USAID is better equipped to ensure privacy requirements and associated controls are explicitly identified and included with respect to any IT resources that will involve PII.
U.S. Agency for International Development The Administrator of USAID should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 64)
Closed – Implemented
USAID stated that it agreed with our recommendation and described plans to address it. In February 2023, USAID provided evidence that it had incorporated privacy, including a determination of risk tolerance, into its risk management strategy. Specifically, the agency updated its risk appetite statement to acknowledge the overlap between privacy and cybersecurity risks as well as other privacy-related risks to better inform decision-making. This includes incorporating privacy considerations into its risk appetite related to various aspects of the IT risk facing the agency. Accordingly, we consider this recommendation to be implemented. By taking these steps, USAID is better positioned to manage privacy risks within acceptable thresholds.

Full Report

GAO Contacts

Jennifer Franks
Director
Information Technology and Cybersecurity

Marisol Cruz Cain
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Chief financial officersContinuous monitoringCybersecurityFederal agenciesInformation securityInformation systemsPersonally identifiable informationPersonnel managementPrivacyPrivacy protectionRisk management