Chat with us, powered by LiveChat HLSS508 APUS Week 3 Discussion Homeland Security Terrorism | Abc Paper
+1(978)310-4246 credencewriters@gmail.com
  

Discussion Questions: How has the federal government responded to possible terrorist attacks (mitigation) where civil liberties have not been endangered? Considering that so much of the nation’s critical infrastructure is privately owned, how has the government regulated possible civil liberties issues related to private sector employers/employees? Can balanced policy be implemented regarding critical infrastructure without eroding privacy, freedom of information or other civil liberties?Instructions: Fully utilize the materials that have been provided to you in order to support your response. Your initial post should be at least 500 words.Forum posts are graded on timeliness, relevance, knowledge of the weekly readings, and the quality of original ideas. Sources utilized to support answers are to be cited in accordance with the APA writing style by providing a general parenthetical citation (reference the author, year and page number) within your post, as well as an adjoining reference list. Refer to grading rubric for additional details concerning grading criteria.Grading: Forums are graded using the following rubric: SSGS Discussion Forum Grading Rubric
2014_privacy_and_civil_liberties_assessment_report.pdf

critical_infrastructure_protection_and_the_endangerment_of_civil_liberties.pdf

nipp_2013_partnering_for_critical_infrastructure_security_and_resilience_508_0.pdf

Unformatted Attachment Preview

Executive Order 13636
Privacy and Civil Liberties Assessment Report
Compiled by
The Privacy Office and the Office for Civil Rights and Civil Liberties
Department of Homeland Security
April 2014
FOREWORD
April 2014
We are pleased to present the 2014 Executive Order 13636 Privacy and Civil Liberties
Assessments Report. On February 12, 2013, President Obama issued Executive Order 13636,
Improving Critical Infrastructure Cybersecurity (EO) and Presidential Policy Directive 21,
Critical Infrastructure Security and Resilience (PPD-21), directing federal departments and
agencies to work together and with the private sector to strengthen the security and resilience of
the Nation’s critical infrastructure. The EO requires federal agencies to develop and incentivize
participation in a technology-neutral cybersecurity framework, to increase the volume,
timeliness, and quality of cyber threat information it shares with the private sector, and to work
with their senior agency officials for privacy and civil liberties to ensure that privacy and civil
liberties protections are incorporated into all of these activities.
Section 5 of the EO also requires that senior agency officials for privacy and civil liberties assess
the privacy and civil liberties impacts of the activities their respective departments and agencies
have undertaken pursuant to the EO, and to publish their assessments annually in a report
compiled by our offices. This is the first such annual report. It includes our offices’ assessments
of certain DHS activities under Section 4 of the EO (enhanced threat information sharing with
the private sector) as well as assessments conducted independently by the Department of the
Treasury and the Departments of Defense, Justice, Commerce, Health and Human Services,
Transportation, and Energy, and by the Office of the Director of National Intelligence and the
General Services Administration.
As the programs and activities called for in the EO mature and evolve, departments and agencies,
including DHS, will conduct additional assessments as needed and include them in future annual
reports.
Megan H. Mack
Officer for Civil Rights and Civil Liberties
Karen L. Neuman
Chief Privacy Officer
INTRODUCTION
Background
On February 12, 2013, President Obama issued Executive Order 13636, Improving Critical
Infrastructure Cybersecurity (EO), and Presidential Policy Directive 21, Critical Infrastructure
Security and Resilience (PPD-21), directing federal departments and agencies to work together
and with the private sector to strengthen the security and resilience of the Nation’s critical
infrastructure (CI) against evolving threats and hazards.1 The EO and PPD-21 call for an
updated and overarching national framework that reflects the increasing role of cybersecurity in
securing physical CI. The EO directs federal departments and agencies to:

Develop a technology-neutral voluntary cybersecurity framework;

Promote and incentivize the adoption of cybersecurity practices;

Increase the volume, timeliness, and quality of cyber threat information sharing;

Explore the use of existing regulation to promote cyber security; and

Incorporate strong privacy and civil liberties protections into every initiative to secure our
CI.
PPD-21 directs federal departments and agencies to:

Develop a situational awareness capability that addresses both physical and cyber aspects
of how infrastructure is functioning in near-real time;

Understand the cascading consequences of infrastructure failures;

Evaluate and mature the public-private partnership;

Update the National Infrastructure Protection Plan to take into account cyber aspects of
infrastructure; and

Develop a comprehensive research and development plan.
The EO and PPD-21 designated the Department of Homeland Security (DHS) as the lead for
federal efforts to implement these requirements. To that end, DHS established an Integrated
Task Force (ITF) to coordinate interagency and public and private sector efforts, and to ensure
effective integration and synchronization of implementation across the homeland security
enterprise. The ITF included several Working Groups, each focused on specific deliverables of
implementation, and was led by a Director and Deputy Director whose work was governed by an
Executive Steering Committee, which reported to the DHS Deputy Secretary. The ITF worked
for 10 months to achieve the implementation timeline directed by the EO and PPD-21 before
turning the EO and PPD work back to the DHS program offices and Sector Specific Agencies
(SSA) responsible for ongoing execution of the required deliverables. Throughout its work, the
1
Links to both the EO and PPD-21 are available on the Department of Homeland Security’s website at
http://www.dhs.gov/strengthening-security-and-resilience-nation%E2%80%99s-critical-infrastructure.
i
ITF and its Working Groups engaged in an unprecedented outreach effort to ensure that the
deliverables required by the EO and PPD-21 were informed by the views and input of the full
range of public and private sector stakeholders.2
The 2014 EO 13636 Privacy and Civil Liberties Assessments Report
Responsibility to Protect Privacy and Civil Liberties
Section 5 of the EO provides that:
[a]gencies shall coordinate their activities under this order with their senior agency
officials for privacy and civil liberties and ensure that privacy and civil liberties
protections are incorporated into such activities. Such protections shall be based upon
the Fair Information Practice Principles and other privacy and civil liberties policies,
principles, and frameworks as they apply to each agency’s activities.
Thus, privacy and civil liberties protections are central to agency activities undertaken pursuant
to the EO.
Reporting Requirements
Section 5 also requires the DHS Chief Privacy Officer and Officer for Civil Rights and Civil
Liberties to assess the privacy and civil liberties impacts of the activities DHS undertakes
pursuant to the EO and to provide those assessments, together with recommendations for
mitigating identified privacy risks, in an annual public report.3 The EO requires senior agency
officials for privacy and civil liberties in other federal departments and agencies to conduct
assessments of their respective activities and provide those assessments to DHS for inclusion in
the annual report.4
Report Structure and Content
This report is the first annual report under Section 5 of the EO. It includes the DHS Privacy
Office’s and Office for Civil Rights and Civil Liberties’ (CRCL) assessments of DHS activities
undertaken pursuant to Section 4 of the EO. This report also includes submissions from the
following departments and agencies:




The Department of the Treasury
The Department of Defense
The Department of Justice
The Department of Commerce
2
The Consultative Process developed by the ITF under Section 6 of the EO will continue to ensure stakeholder
involvement in the ongoing work to provide cybersecurity for CI. A complete description of the Consultative
Process and detailed information on the deliverables accomplished under the EO and PPD-21 are available at
www.dhs.gov/eoppd.
3
EO Section 5(b).
4
EO Section 5(b). The EO provides for a classified annex to the report as needed.
ii





The Department of Health and Human Services
The Department of Transportation
The Department of Energy
The Office of the Director of National Intelligence
The General Services Administration
Staff of the DHS Privacy Office and CRCL co-chaired the ITF’s Assessments Working Group,
whose members included privacy and civil liberties officials from departments and agencies
throughout the Federal Government. Unlike the other ITF Working Groups, the Assessments
Working Group did not have an assigned deliverable, but instead served as a forum for
participating federal departments and agencies to discuss best practices in conducting privacy
and civil liberties assessments generally, to further work on their respective assessments.
As Section 5 of the EO requires, DHS has served as the compiling agency for this report. The
privacy and civil liberties officials of the participating departments and agencies conducted their
assessments independently when, in their professional judgment, it was appropriate to do so.
Their contributions appear below in separate sections for each submitting department or agency.
It should be recognized that not all departments and agencies used the same reporting period for
their assessments, as progress on deliverables was fluid and department and agency clearance
procedures differ. As the programs and activities called for in the EO mature and evolve,
departments and agencies, including DHS, will conduct additional assessments as needed and
include them in future annual reports.
iii
Table of Submissions
Part I
Department of Homeland Security
Part II
Department of the Treasury
Part III
Department of Defense
Part IV
Department of Justice
Part V
Department of Commerce
Part VI
Department of Health and Human Services
Part VII
Department of Transportation
Part VIII
Department of Energy
Part IX
Office of the Director of National Intelligence
Part X
General Services Administration
iv
PART I
DEPARTMENT OF HOMELAND SECURITY
Department of Homeland Security
EO 13636 Assessments
Table of Contents
I.
Introduction
II.
EO Implementation Activity: Cybersecurity Information Sharing–Sharelines
III.
EO Implementation Activity: Expansion of the Enhanced Cybersecurity
Services Program
IV.
EO Implementation Activity: The DHS Private Sector Clearance Program
V.
EO Implementation Activity: The DHS Loaned Executive Program
Appendix 1: Acronym List
I.
Introduction
The DHS Privacy Office
The Privacy Office is the first statutorily created privacy office in any federal agency, as set forth
in Section 222 of the Homeland Security Act (Homeland Security Act), as amended.5 The
mission of the Privacy Office is to protect all individuals by embedding and enforcing privacy
protections and transparency in all DHS activities. The Privacy Office works to minimize the
impact of DHS programs on an individual’s privacy, particularly an individual’s personal
information, while achieving the Department’s mission to protect the homeland. The Chief
Privacy Officer reports directly to the Secretary of Homeland Security.
The DHS Privacy Office accomplishes its mission by focusing on the following core activities:

Requiring compliance with federal privacy and disclosure laws and policies in all DHS
programs, systems, and operations, including cybersecurity-related activities;

Centralizing Freedom of Information Act (FOIA) and Privacy Act operations to provide
policy and programmatic oversight, to support operational implementation within the
DHS components, and to ensure the consistent handling of disclosure requests;

Providing leadership and guidance to promote a culture of privacy and adherence to the
Fair Information Practice Principles across the Department;

Advancing privacy protections throughout the Federal Government through active
participation in interagency fora;

Conducting outreach to the Department’s international partners to promote understanding
of the U.S. privacy framework generally and the Department’s role in protecting
individual privacy; and,

Ensuring transparency to the public through published materials, reports, formal notices,
public workshops, and meetings.6
The DHS Office for Civil Rights and Civil Liberties
The Department of Homeland Security Office for Civil Rights and Civil Liberties (CRCL)
supports the Department’s mission to secure the nation while preserving individual liberty,
fairness, and equality under the law. The Office for Civil Rights and Civil Liberties reports
directly to the Secretary of Homeland Security. CRCL integrates civil rights and civil liberties
into all of the Department activities by:
5
6 U.S.C. § 142.
Detailed information about DHS Privacy Office activities and responsibilities, including Privacy Impact
Assessments conducted by the Privacy Office for DHS cybersecurity-related efforts, is available at
http://www.dhs.gov/privacy.
6
1

Promoting respect for civil rights and civil liberties in policy creation and implementation
by advising Department leadership and personnel;

Communicating with individuals and communities whose civil rights and civil liberties
may be affected by Department activities, informing them about policies and avenues of
redress, and promoting appropriate attention within the Department to their experiences
and concerns;

Investigating and resolving civil rights and civil liberties complaints filed by the public
regarding Department policies or activities, or actions taken by Department personnel;
and

Leading the Department’s equal employment opportunity programs and promoting
workforce diversity and merit system principles.7
DHS Methodology for Conducting Executive Order (EO) 13636 Assessments
The DHS Privacy Framework
The Fair Information Practice Principles (FIPPs), which are rooted in the tenets of the Privacy
Act of 1974,8 have served as DHS’s core privacy framework since the Department was
established. They are memorialized in the DHS Privacy Office’s Privacy Policy Guidance
Memorandum 2008-01, The Fair Information Practice Principles: Framework for Privacy
Policy at the Department of Homeland Security9 and in DHS Directive 047-01, Privacy Policy
and Compliance (July 2011).10 The DHS implementation of the FIPPs is as follows:
Transparency: DHS should be transparent and provide notice to the individual regarding
its collection, use, dissemination, and maintenance of Personally Identifiable Information
(PII). Technologies or systems using PII must be described in a SORN and PIA, as
appropriate. There should be no system the existence of which is a secret.
Individual Participation: DHS should involve the individual in the process of using PII.
DHS should, to the extent practical, seek individual consent for the collection, use,
dissemination, and maintenance of PII and should provide mechanisms for appropriate
access, correction, and redress regarding DHS’s use of PII.
Purpose Specification: DHS should specifically articulate the authority which permits
the collection of PII and specifically articulate the purpose or purposes for which the PII
is intended to be used.
7
Detailed information about the activities and responsibilities of the DHS CRCL is available at
http://www.dhs.gov/office-civil-rights-and-civil-liberties.
8
5 U.S.C. § 552a.
9
Available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf.
10
Directive 047-01 is available at http://www.dhs.gov/xlibrary/assets/foia/privacy-policy-compliance-directive-04701.pdf. The Directive supersedes the DHS Directive 0470.2, Privacy Act Compliance, which was issued in October
2005.
2
Data Minimization: DHS should only collect PII that is directly relevant and necessary
to accomplish the specified purpose(s) and only retain PII for as long as is necessary to
fulfill the specified purpose(s). PII should be disposed of in accordance with DHS records
disposition schedules as approved by the National Archives and Records Administration.
Use Limitation: DHS should use PII solely for the purpose(s) specified in the notice.
Sharing PII outside the Department should be for a purpose compatible with the purpose
for which the PII was collected.
Data Quality and Integrity: DHS should, to the extent practical, ensure that PII is
accurate, relevant, timely, and complete, within the context of each use of the PII.
Security: DHS should protect PII (in all forms) through appropriate security safeguards
against risks such as loss, unauthorized access or use, destruction, modification, or
unintended or inappropriate disclosure.
Accountability and Auditing: DHS should be accountable for complying with these
principles, providing training to all employees and contractors who use PII, and auditing
the actual use of PII to demonstrate compliance with these principles and all applicable
privacy protection requirements.
The FIPPs govern the appropriate use of PII at the Department. DHS uses the FIPPs to enhance
privacy protections by assessing the nature and purpose of all PII collected to ensure it fulfills the
Department’s mission to preserve, protect, and secure the homeland. The DHS Privacy Office
applies the FIPPs to the full breadth and diversity of Department systems, programs, and
initiatives that use PII or are otherwise privacy-sensitive, including the Department’s
cybersecurity-related activities. The Privacy Office works with Department personnel to
complete Privacy Threshold Analyses (PTA),11 Privacy Impact Assessments (PIA),12 and System
of Records Notices (SORN)13 to ensure implementation of privacy policy at DHS, to
11
The first step in the DHS privacy compliance process is for DHS staff seeking to implement or modify a system,
program, technology, or rulemaking to complete a PTA. The Privacy Office reviews and adjudicates the PTA, which
serves as the official determination as to whether or not the system, program, technology, or rulemaking is privacy
sensitive and requires additional privacy compliance documentation such as a PIA or SORN.
12
The E-Government Act and the Homeland Security Act require PIAs, and PIAs may also be required in
accordance with DHS policy issued pursuant to the Chief Privacy Officer’s statutory authority. PIAs are an
important tool for examining the privacy impact of IT systems, initiatives, programs, technologies, or rulemakings.
The DHS PIA is based on the FIPPs framework and covers areas such as the scope and use of information collected,
information security, and information sharing. Each section of the PIA concludes with analysis designed to outline
any potential privacy risks identified in the answers to the preceding questions and to discuss any strategies or
practices used to mitigate those risks. The analysis section reinforces critical thinking about ways to enhance the
natural course of system development by including privacy in the early stages. PIAs are initially developed in the
DHS Components, with input from the DHS Privacy Office. Once approved at the Component level, PIAs are
submitted to the DHS Chief Privacy Officer for final approval. Once approved, PIAs are published on the Privacy
Office website, with the exception of a small number of PIAs for national security systems.
13
The Privacy Act requires that federal agencies issue a SORN to provide the public notice regarding PII collected
in a system of records. A system of records means a group of records under the control of the agency from which
information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying
particular assigned to the individual. SORNs explain how the information is used, retained, and may be corrected,
and whether certain portions of the system are subject to Privacy Act exemptions for law enforcement or national
security reasons. If a SORN is required, the program manager will work with the Component Privacy Officer or
3
demonstrate accountability, and to further the transparency of Department activities. PIAs and
SORNs relevant to the Department’s activities under EO Section 4 are discussed in the
assessments reported below.
Civil Rights and Civil Liberties Assessment Framework
CRCL conducts assessments using an issue-spotting approach rather than a single framework
because the particular issues presented by any given program or activity vary greatly. The
generalized approach is to do an in-depth factual examination of a program or activity to
determine how it is intended to work and how it does, or will work in practice. Next, CRCL

Purchase answer to see full
attachment

error: Content is protected !!