The White House is requiring federal agencies to consider using a standard configuration developed by the Justice and Homeland Security departments to share information across the public and private sectors.
More than a month ago, the Office of Management and Budget issued guidance to agencies on the website of the National Information Exchange Model, a joint DOJ-DHS program. The OMB document, which is not posted on its website, includes instructions for assessing the framework's merits by May 1.
"All agencies shall evaluate the adoption and use of the National Information Exchange Model as the basis . . . of reusable cross-boundary information exchanges," said an enclosed memo from Kshemendra Paul, the federal chief architect. "The Office of Management and Budget is working jointly with the NIEM Program Management Office to provide guidance and the tools necessary to help you meet this requirement."
OMB did not make the public aware of such plans to overhaul federal information exchange on its website, raising questions about a lack of transparency, as well as the security of the model, according to privacy advocates. OMB officials noted that the NIEM website is public and pointed out that other OMB requirements such as information security standards for the federal government also are posted on other agency sites.
Some privacy groups still have to review the specifications and therefore could not comment, while others urged the Obama administration to fully disclose security procedures if agencies proceed with NIEM. Security experts familiar with the information technology setup at Justice and DHS praised the integrity of the framework and the idea of rolling it out governmentwide.
NIEM launched in 2005 with the goal of linking jurisdictions throughout the country to better respond to crises, including terrorist attacks, natural disasters, large-scale crime and other emergencies handled by Justice and Homeland Security. The standards are intended to expedite the secure exchange of accurate information.
This winter, the Health and Human Services Department announced it will use NIEM as the foundation of a nationwide network for medical professionals to exchange patient data. Some in the health IT community expressed fears that if other agencies are using the same framework as doctors, the government could access private health information. HHS officials have emphasized that harmonizing standards for information exchange will not facilitate the transmission of medical records to law enforcement or intelligence agencies.
Lillie Coney, associate director at the Electronic Privacy Information Center, said securing the points where information is entered and retrieved is critical to ensuring privacy on a NIEM-based system. "Transparency is the key" to implementing systems and policies for sharing citizen information, she said. When asked why she thought OMB did not post the March guidance on its site, Coney said the president "outlined a very good open government policy on his first day in office," referring to a memo urging agency heads to use new technologies to advance government transparency, public-private collaboration and citizen engagement. But "EPIC has found, and so has other open government advocacy organizations, serious gaps between the policy and the actions of certain agencies."
OMB officials said they do not view the requirement that agencies evaluate NIEM as a policy change. Rather it is an implementation of existing policy on federal enterprise architecture, they said. Enterprise architecture is a roadmap for steering operational change that outlines how an agency functions today versus in the future.
Some cybersecurity specialists say agencies should coordinate how they share information based on the NIEM framework.
NIEM is the "most successful effort in terms of data exchange that I have seen," said John Gilligan, a former chief information officer for the Air Force and a member of the team that advised President Obama on IT policies before he took office. "This is something that's worth spending some time in trying to exploit."
Gilligan said NIEM is not focused specifically on protecting information, so controls to safeguard sensitive and private data would have to be incorporated separately. NIEM in and of itself would not be a security or privacy threat, but agencies must ensure that any controls they add are adequate, Gilligan said.
"We absolutely have to do a better job at information exchange and agencies should find a way to standardize -- so we don't let information slip through the cracks," said Gregory Garcia, who served under the Bush administration as the first DHS assistant secretary for cybersecurity and communications and now heads Garcia Strategies.
Garcia said building in safeguards to prevent abuses will be a challenge for agencies. "You can never fully safeguard what is considered an insider threat. But I don't think we should let that tail wag the dog. No system is failsafe and we have to proceed on that basis."