do exist, to be sure, such as the cursory treatment of operating system security, 16 but FIPS #31 contains very few errors of commission. Inadequate security has typically been more a management problem tha a technical one. For example, in an evaluation of one Federal contractor, the Infonet Division of Computer Sciences Corporation, the Stanford Research Institute found that, although the technical security provided by Infonet met or exceeded the required standards, "the greatest risks to the general level of security of Government data on Infonet were the user's lack of security awareness and failure to use available security precautions."17

In addition to the management problem, another pressing issue has been ignored the need to assess the value of the information to be protected. Security standards must not only defend against physical damage to a system but must also explicitly consider the distinctions in value among the kinds of information (e.g., confidential vs. public) passing through the system.

In the absence of enforceable general standards geared to the types of information collected and the consequent threats, current Federal practice is characterized by a slow and self-paced approach to information security. Some agencies have implemented adequate safeguards, but others have not. Some as in the case of Infonet, described above have adopted technical security safeguards beyond what are necessary for the information to be protected; others are under-secure. Yet uniformly applied Federal standards are essential to the implementation of interagency data exchanges and to safeguarding confidentiality.

Safeguarding the Security of Federal Records Despite the substantial financial investment of the Federal Government in data processing equipment, except for "national security" information, there has been relatively slight attention paid to the development of methods to safeguard the physical security of the information serviced by this equipment. Moreover, the security of manual records systems has been virtually ignored.

Even where guidelines have been developed such as the NBS guidelines for ADP systems - these have not been comprehensive nor have they been adequately tested or evaluated. Clearly, several preliminary steps must be taken before general Federal security standards can be adopted. Further steps, detailed below, will be necessary to implement these standards and to ensure their effectiveness.

Testing and Evaluation of Guidelines

Although the Privacy Act has mandated the implementation of some security safeguards and some agencies have traditionally employed preventive security measures, neither the NBS guidelines nor any others encompassing both management and technical safeguards 16 The HEW standards have omitted operating system standards from their security manual but plan to include them in a 1977 revision. NBS is also working on this as part of the problem.

17 Quoted in Senate Staff Study, n. 2., supra, p. 55.

135

136

have been adequately tested in a working environment. Similarly, except for national security data, no Federal study has been conducted to evaluate the threat to various kinds of information maintained by Federal agencies and their contractors. Such threat analyses' are essential to determine the kinds of safeguards required for different records systems. As both testing and threat analyses are necessary before any Federal security standards can be adopted for government-wide use, both should be undertaken concurrently.

OMB should direct a series of demonstration projects in several different agencies with diverse types of information, programs, and purposes and hence with different kinds of security threats. These projects, covering both manual and automated records, should include information networks, exchange programs, and the use of contractors and service bureaus. Each project should involve the implementation of FIPS #31 and other appropriate guidelines with management, technical, risk management, and cost/benefit evaluations of the agency to be conducted over a two-year period.

At the same time, NBS should conduct comprehensive risk assessments of past and potential effects of disclosure, destruction, diversion, and alteration on the confidential information maintained by Federal agencies and their contractors. Background information for the study should include past cases, investigations, and vulnerabilities of Federal and other information systems, both manual and automated. The risk assessments would categorize information as to potential value, damage, and other criteria for use by agencies holding such information. The study should also include an analysis of motives, resources, and targets of disclosure, destruction, diversion, and alteration.

Mandating the Implementation of Federal Security Standards After evaluating the results of the demonstration projects and threat assessments referred to above, NBS standards could be adapted to serve the needs of different types of information and different estimated threats of disclosure, destruction, diversion, or alteration. These revised standards should be codified and made applicable to all existing and future confidential information maintained by Federal agencies.

Ensuring Continued Security: Procurement Policies

In addition to remedial actions covering existing computer systems, the procurement of new systems and software should emphasize adequate security. It will be necessary to conduct continuing evaluations of new systems and services to ensure that they meet established Federal security standards. Similarly, no computerrelated product or service failing to meet such standards should be approved for purchase or lease.

18 Threat analysis is but one component of "risk assessment," the term used below. Risk assessment, a commonly used method for allocating different types and degrees of protection, consists of balancing threats and vulnerabilities against the resources available for safeguards.

As many agencies rely on service bureaus or time-sharing networks for their data processing needs, the security standards of these services must also be evaluated in great detail. All bids and proposals to render such services should include an assurance that the new NBS security standards or equivalent standards have been met or exceeded. Further, any contract for such services should provide that any of the following could result in contract termination: Noncompliance with the security standards set forth in the

bid;

Any security violation other than an inadvertent error occurring while exercising reasonable care; or

Failure to report any security violation immediately after discovery.

Agencies should also be required to investigate the history of the contractor's reliability and, where necessary, to require disclosure of other clients. Conflicts of interest inevitably arise, or at least security risks increase, when rival clients use the same system. For example, an agency possessing large files of detailed medical records on individuals may not want to use a data processing contractor which draws a significant portion of its business from health insurance eligibility investigations.

In the last analysis, agencies maintaining confidential data should be required, as a general rule, to transfer such information from contractors to in-house operations. Even with the requirements and conditions set forth above and any additional contract conditions imposed by the agency, information maintained outside the agency can never be safeguarded or controlled to the same extent as that maintained "in-house"

Personnel Practices Related to Security Can Be Improved Past studies of security practices have shown that personnel practices are the most significant factor in maintaining adequate security safeguards. Accordingly, it is essential that personnel assigned to work with confidential information should not only be subjected to more thorough background investigations but should also have some awareness of the problems of dealing with sensitive or confidential information. Of course, no personnel selection mechanism will eliminate all threats of dishonesty in any environment, but improved selection practices and training programs should help produce more reliable personnel.

Auditing of Security Practices

At present, there are no criteria for auditing or identifying deficiencies in agency security practices. These will be necessary to assess the effectiveness of the Federal security standards once they have been implemented. While these standards are being developed, GAO should be developing auditing criteria to evaluate agency and contractor compliance. Auditing could be performed either by GAO or by agency audit offices and should include both regular and spot inspections.

Findings and Recommendations

Preceding sections of this report have reviewed statutory and case law, administrative practices, and the information needs of specific Federal programs to explore the impact of Federal confidentiality policies and practices on the Government's information activities. In addition, the Commission has reviewed current law, legal treatises, agency practices, and the reports of other Commissions, particularly the Privacy Protection Study Commission, as a foundation for defining those "appropriate standards of confidentiality" which must, in the last analysis, establish the perimeters of data sharing. This section summarizes the findings set forth in earlier sections and proposes 12 recommendations based on these findings. Although some of these are geared toward strengthening existing confidentiality laws, such as the Privacy Act, the basic thrust of the recommendations is to facilitate data sharing and minimize reporting burdens by enlarging the body of information available for free and open disclosure and by adopting clear and consistent standards of confidentiality.

One basic theme underlies all the preceding sections of this report and that is that there are currently no consistent Federal standards applicable to the confidentiality of information collected and maintained by the Federal Government. There is, instead, a patchwork of laws, regulations, policies, and practices which have developed over the years to suit the purposes of particular program activities or in response to the demands of particular interest groups.

Even in the area of individual information, where the recently enacted Privacy Act should set uniform minimum standards of confidentiality, there are many inconsistencies and deficiencies in Federal policies and practices. The lack of adequate guidance or compliance machinery has left Federal agencies relatively free to determine how to comply with that Act. Numerous other Federal laws impose different disclosure restrictions for data collected in connection with specific programs. Because the Privacy Act applies only to Federal agencies, much of the information needed by State and local authorities to administer federally funded programs is often unregulated. As a result of all these factors, there are still no clearly established or consistent "privacy" standards.

For other types of information, the situation is worse. There is no overall confidentiality law, comparable to the Privacy Act, which regulates the disclosure of business, commercial, or financial information. "National security" information presents a unique problem as, except for information classified by the Atomic Energy Act, there is no way of knowing what kinds of information are, in fact, labeled "top secret", "secret", or "confidential" "in the interest of national defense or foreign policy". As labeling is, to a large extent, a matter of decentralized administrative discretion, it can only be assumed that, in this area, as in the area of business

139