HHS HSPD12 and Privacy Presentation to the AICPA GAAC East Conference

1
HHS HSPD-12 and PrivacyPresentation to the AICPA
GAAC East Conference

• Mario Morales Director, HSPD-12 Program Office
• Department of Health Human Services
• August 21, 2007

2
HSPD-12 Privacy Duties

• HSPD-12 Background and HHS Program Overview
• Privacy Act of 1974 Compliance
• HSPD-12 Systems of Records
• HSPD-12 Privacy Impact Assessments (PIA)
• Communications

3
HSPD-12 Background

• Homeland Security Presidential Directive-12
  (HSPD-12) Policy for a Common Identification
  Standard for Federal Employees
• Mandates the use of using common identification
  cards to regulate physical and logical access
  across the Federal Government
• The intent of HSPD-12 is to
• Establish secure, reliable forms of
  identification
• Create IDs that are resilient to tampering and
  fraud
• Provide a fast means of electronic production
• Ensure ID issuers have gone through a specific
  accreditation test
• Protect personal privacy

4
HHS HSPD-12 Program Overview

• Department-wide implementation of HSPD-12 is
  under one program
• Centralized oversight and management of
  Department policies, procedures, guidance, and
  management reporting
• Operating Divisions (e.g., National Institutes
  for Health) are responsible for managing their
  local implementations to suit their differing
  missions
• Centralized Program Office contributes to the
  uniformity that OMB mandates in its guidance
  (e.g., OMB memo M-06-06)
• Privacy Act compliance and the use of information
  in notices and storage systems is uniform across
  the entire Department
• Minor differences in implementation of the
  Privacy Impact Assessments may arise as a result
  of uniqueness among the OPDIVs
• Issuance of new badges will not only be a major
  component of the HSPD-12 Program, but a routine
  process for all new HHS employees

5
Privacy Act of 1974

• States that no agency shall disclose any record
  which is contained in a system of records by any
  means of communication to any person or agency
  without the consent of the individual to whom the
  record pertains.

6
Privacy Act - System of Records Notice

• System of Records Notice (SORN) - Federal
  standard for notifying the public of the types of
  records stored and methods and time frames of
  storage within a given system of records
• With respect to HSPD-12, it is the agencys
  responsibility to
• Maintain records about an individual that include
  only information that is relevant to the role of
  the agency in HSPD-12
• Ensure that records are accessible to the
  individual for review
• Collect information to the greatest extent
  practicable directly from the subject individual
• Inform each individual whom it asks to supply
  information on the uses and purposes of the
  information

7
HSPD-12 3 Systems of Records

• Background and Personnel Security
• Identity Management System (IDMS)  
• Personal Identity Verification (PIV) Card

8
Background Personnel Security

• The records in this system of records are used to
  document and support decisions regarding
  clearance for access to classified information
• These records are also used to determine the
  suitability, eligibility, and fitness for service
  of applicants for federal employment and contract
  positions
• Records are to be stored securely both on paper
  and electronically
• Background investigation files are retrieved by
  name, Social Security number (SSN), or
  fingerprint
• What information is kept about me?
• Appropriate investigation form (e.g., SF-85,
  SF-86)
• Ten-print fingerprints (OPM)

9
Identity Management System (IDMS)

• Identity Management System (IDMS)  the system or
  application that manages the identity
  verification and validation process.
• Stored information
• SSN/Employee ID
• Place and Date of Birth
• Organizational Affiliation
• Employee Affiliation
• Biometric Identifiers
• Digital Color Photo
• Digital Signature
• Work Telephone Number
• Work Address
• Work E-mail
• Identity Document Description

Source BearingPoint, Inc. Management
Technology Consultants
10
Personal Identity Verification (PIV) Card

• Federal smart card governed by National
  Institute of Standards and Technology (NIST)
  Federal Information Processing Standard (FIPS)
  201-1
• Two sets of requirements for PIV
• Personal identity proofing, registration, and
  issuance processes
• Card elements, system interfaces and security
  controls required to securely store, process and
  retrieve identity credentials from a smartcard
• What information is stored about me?
• Full Name
• Facial Photo
• Organizational Affiliation
• Employee Affiliation
• Biometric Identifiers (fingerprint minutiae)
• Digital Signature

11
Card Usage Privacy Act Statement

• The Privacy Act of 1974 requires that any holder
  of a PIV Card is aware of what information is
  collected and how that information will be used
• The PIV Card is a way to prove that you are who
  you claim to be when you enter a federal building
  and grant access to computers, applications, and
  data
• All federal agencies will use the PIV Card for
  verification in the above circumstances

12
Privacy Impact Assessments (PIA)

• Analyzes the information technology systems used
  to implement HSPD-12 and the associated privacy
  impacts
• Provides detail about the agencys role in the
  collection and management of Personally
  Identifiable Information (PII) for purpose of
  issuing ID badges
• Covers all aspects of HSPD-12, including
• Background Investigation
• Identity proofing and registration
• IDMS
• PIV Card

13
Communications

• In accordance with the E-Government Act of 2002
  and the Federal Information Security Management
  Act (FISMA), privacy documents must be current
  and publicly posted
• Develop, implement, and post in multiple
  locations, your department/agencys privacy act
  statement/notice
• HHS Privacy Documents can be found at the
  following links
• http//www.hhs.gov/Privacy.html
• http//www.hhs.gov/ocio/securityprivacy/

14
Questions?