1 Privacy Overlays 1. Identification This document is comprised of four Privacy Overlays that identify security and Privacy control specifications required to protect personally identifiable information (PII), including protected health information (PHI), in National Security Systems (NSS) and reduce Privacy risks to individuals throughout the information The Privacy Overlays support implementation of but are not intended to, and do not, supersede Privacy requirements of statute, regulation, or Office of Management and Budget (OMB) policy. Since the Privacy Act of 1974 established the requirement for appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect the integrity of systems, both the technology and threats thereto have evolved and organizations have had to change the way they protect their The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, and Committee on National Security Systems Instruction (CNSSI) 1253 provide the underlying controls necessary to protect national security systems (NSS).
2 Based on the Fair Information Practice Principles (FIPPs)3 and federal Privacy requirements, these Privacy Overlays provide a consistent approach for organizations to implement appropriate administrative, technical, and physical safeguards to protect PII in information systems irrespective of whether the organization maintains the PII as part of a system of The Privacy Overlays provide a method within existing NIST and CNSS structures to implement the security and Privacy controls necessary to protect PII in today's technology-dependent world. All PII is not equally sensitive and therefore all PII does not require equal protection. PII with higher sensitivity requires more stringent protections, while PII with lower sensitivity requires less stringent protections. There are three Overlays that address the varying sensitivity of PII.
3 Low, Moderate, and High. PHI is a subset of PII and in addition to sensitivity considerations, PHI requires a minimum set of protections that are based on the Health Insurance Portability and Accountability Act (HIPAA) Privacy , Security, and Breach Rules. Therefore, PHI is addressed under a fourth overlay , which is applied on top of the Privacy overlay determined by the sensitivity of the PHI, , Low, Moderate, or High. 1. For additional information about PII and PHI, see Section 7, Definitions.. 2. Establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any unanticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.
4 5 552a(e)(10). 3. Committee Report No. 93-1183 to accompany S. 3418 (Sep 26, 1974 ), p 9. 4. [A system of records is] a group of any records under the control of any Agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 5 552a(a)(5). Privacy overlay 1 Attachment 6 to Appendix F. 04/20/2015. The Privacy Overlays are based on the following laws, policies, and standards: The Privacy Act of 1974 , as amended, ( 93-579), 5 552a The Freedom of Information Act (FOIA), as amended, 5 552. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ( 104- 191). E-Government Act [includes Federal Information Security Management Act] ( 107- 347), December 2002. Federal Information Security Management Act ( 107-347, Title III), December 2002.
5 Paperwork Reduction Act ( 104-13), May 1995, as amended (44 3501, et seq). The Clinger-Cohen Act of 1996 (Pub. L. No. 104-106). Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) (Pub. L. No. 108- 458). Federal Agency Data Mining Reporting Act of 2007 ( 109-177). Federal Records Act ( 90 620), as amended, (44 3301). Code of Federal Regulations, Title 5, Administrative Personnel, Section , Designation of Public Trust Positions and Investigative Requirements (5 ). Committee on National Security Systems (CNSS) Instruction 4009, National Information Assurance Glossary, April 2010. Committee on National Security Systems (CNSS) Instruction 1253, Security Categorization and Security Control Selection for National Security Systems, March 2014. OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources, November 2000.
6 Office of Management and Budget Memorandum 99-18, Privacy Policies on Federal Web Sites, June 1999. Office of Management and Budget Memorandum 03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 2003. Office of Management and Budget Memorandum 04-04, E-Authentication Guidance, December 2003. Office of Management and Budget Memorandum 05-08, Designation of Senior Agency Officials for Privacy , February 2005. Office of Management and Budget Memorandum 06-15, Safeguarding Personally Identifiable Information, May 2006. Office of Management and Budget Memorandum 06-16, Protection of Sensitive Agency Information, June 2006. Office of Management and Budget Memorandum 06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security and Agency Information Technology Investments, July 2006.
7 Office of Management and Budget Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 2007. Office of Management and Budget Memorandum 08-09, New FISMA Privacy Reporting Requirements for FY 2008, January 2008. Privacy overlay 2 Attachment 6 to Appendix F. 04/20/2015. Office of Management and Budget Memorandum 10-22, Guidance for Online Use of Web Measurement and Customization Technologies, June 2010. Office of Management and Budget Memorandum 10-23, Guidance for Agency Use of Third-Party Websites and Applications, June 2010. Office of Management and Budget Memorandum 11-02, Sharing Data While Protecting Privacy , November 2010. Office of Management and Budget Memorandum 11-27, Implementing the Telework Enhancement Act of 2010: Security Guidelines, July 2011. Office of Management and Budget Memorandum 14-04, Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, November 2013.
8 Federal Agency Responsibilities (44 3506). National Security System (40 11103). The HIPAA Privacy , Security, and Breach Rules, at 45 Parts 160 and 164 (2013). Federal Acquisition Regulation (FAR), Parts 24, 39, and 52 (48 Parts 24, 39, and 52). Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004. National Institute of Standards and Technology Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules, May 2001. National Institute of Standards and Technology Federal Information Processing Standards Publication 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006. National Institute of Standards and Technology Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, A.
9 Security Life Cycle Approach, February 2010. National Institute of Standards and Technology Special Publication SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (Includes Updates as of 15 January 2014). National Institute of Standards and Technology Special Publication 800-55, Revision 1, Performance Measurement Guide for Information Security, July 2008. National Institute of Standards and Technology Special Publication 800-57, Recommendation for Key Management (Parts 13), 23 January 2015. National Institute of Standards and Technology Special Publication 800-60, Volume II, Revision 1, Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008. National Institute of Standards and Technology Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, December 2014.
10 National Institute of Standards and Technology Special Publication 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE , February 2007. National Institute of Standards and Technology Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), April 2010. National Institute of Standards and Technology Special Publication 800-123, Guide to General Server Security, July 2008. Privacy overlay 3 Attachment 6 to Appendix F. 04/20/2015. National Institute of Standards and Technology Special Publication 800-124, Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise, June 2013. National Institute of Standards and Technology Special Publication 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs), February 2013.