Privacy assessment finds risk with CDM shared service platform
An updated assessment from the Department of Homeland Security finds that a shared services platform designed to help smaller agencies use the Continuous Diagnostics and Mitigation program brings with it new but manageable privacy risks.
An updated assessment from the Department of Homeland Security finds that a shared services platform designed to help smaller agencies use the Continuous Diagnostics and Mitigation program brings with it new but manageable privacy risks.
Over the past year, DHS has made a concerted effort to bring smaller, non-Chief Financial Officer Act federal agencies onboard CDM while also rolling out a new risk scoring system that it hopes will better gauge the program's effectiveness. To accomplish the first goal, the General Services Administration incorporated a new cloud-based shared services platform from contractor ManTech that opens up a number of CDM capabilities to smaller agencies.
That platform now ingests data collected from CDM tools and sensors at these microagencies, leading DHS to revisit how that information is being protected and kept private. Unlike DHS, which only receives summary data from agencies through its federal dashboard, the contractor-mananged shared services platform collects a richer set of data from agencies, including personally identifiable information.
Because of this increased collection, there is a risk that personal data captured through the platform could be misused, according to a recent privacy impact assessment from DHS. The assessment puts responsibility for keeping that data safe on the contractor, and according to the agency, requirements in the new task order have ensured that ManTech put in place the necessary security measures.
The platform deploys full disk encryption to protect data at rest, while operational components collect logs of all activity at the operating system and application layers to track and identify any potential unauthorized access, with all users restricted from deleting audit logs. Contractor staff are also required to complete privacy trainings.
"The integrator has instituted controls to ensure that agency data is logically separated and segregated so that agencies subscribing to the shared service are only given access and user roles that are specific to their respective agency," the assessment stated.
A similar assessment of the program's new AWARE risk scoring algorithm found that it did not introduce any additional privacy concerns.