recommended reading

White House tells agencies to use same framework to exchange information

The White House is requiring federal agencies to consider using a standard configuration developed by the Justice and Homeland Security departments to share information across the public and private sectors.

More than a month ago, the Office of Management and Budget issued guidance to agencies on the website of the National Information Exchange Model, a joint DOJ-DHS program. The OMB document, which is not posted on its website, includes instructions for assessing the framework's merits by May 1.

"All agencies shall evaluate the adoption and use of the National Information Exchange Model as the basis . . . of reusable cross-boundary information exchanges," said an enclosed memo from Kshemendra Paul, the federal chief architect. "The Office of Management and Budget is working jointly with the NIEM Program Management Office to provide guidance and the tools necessary to help you meet this requirement."

OMB did not make the public aware of such plans to overhaul federal information exchange on its website, raising questions about a lack of transparency, as well as the security of the model, according to privacy advocates. OMB officials noted that the NIEM website is public and pointed out that other OMB requirements such as information security standards for the federal government also are posted on other agency sites.

Some privacy groups still have to review the specifications and therefore could not comment, while others urged the Obama administration to fully disclose security procedures if agencies proceed with NIEM. Security experts familiar with the information technology setup at Justice and DHS praised the integrity of the framework and the idea of rolling it out governmentwide.

NIEM launched in 2005 with the goal of linking jurisdictions throughout the country to better respond to crises, including terrorist attacks, natural disasters, large-scale crime and other emergencies handled by Justice and Homeland Security. The standards are intended to expedite the secure exchange of accurate information.

This winter, the Health and Human Services Department announced it will use NIEM as the foundation of a nationwide network for medical professionals to exchange patient data. Some in the health IT community expressed fears that if other agencies are using the same framework as doctors, the government could access private health information. HHS officials have emphasized that harmonizing standards for information exchange will not facilitate the transmission of medical records to law enforcement or intelligence agencies.

Lillie Coney, associate director at the Electronic Privacy Information Center, said securing the points where information is entered and retrieved is critical to ensuring privacy on a NIEM-based system. "Transparency is the key" to implementing systems and policies for sharing citizen information, she said. When asked why she thought OMB did not post the March guidance on its site, Coney said the president "outlined a very good open government policy on his first day in office," referring to a memo urging agency heads to use new technologies to advance government transparency, public-private collaboration and citizen engagement. But "EPIC has found, and so has other open government advocacy organizations, serious gaps between the policy and the actions of certain agencies."

OMB officials said they do not view the requirement that agencies evaluate NIEM as a policy change. Rather it is an implementation of existing policy on federal enterprise architecture, they said. Enterprise architecture is a roadmap for steering operational change that outlines how an agency functions today versus in the future.

Some cybersecurity specialists say agencies should coordinate how they share information based on the NIEM framework.

NIEM is the "most successful effort in terms of data exchange that I have seen," said John Gilligan, a former chief information officer for the Air Force and a member of the team that advised President Obama on IT policies before he took office. "This is something that's worth spending some time in trying to exploit."

Gilligan said NIEM is not focused specifically on protecting information, so controls to safeguard sensitive and private data would have to be incorporated separately. NIEM in and of itself would not be a security or privacy threat, but agencies must ensure that any controls they add are adequate, Gilligan said.

"We absolutely have to do a better job at information exchange and agencies should find a way to standardize -- so we don't let information slip through the cracks," said Gregory Garcia, who served under the Bush administration as the first DHS assistant secretary for cybersecurity and communications and now heads Garcia Strategies.

Garcia said building in safeguards to prevent abuses will be a challenge for agencies. "You can never fully safeguard what is considered an insider threat. But I don't think we should let that tail wag the dog. No system is failsafe and we have to proceed on that basis."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.