recommended reading

White House tells agencies to use same framework to exchange information

The White House is requiring federal agencies to consider using a standard configuration developed by the Justice and Homeland Security departments to share information across the public and private sectors.

More than a month ago, the Office of Management and Budget issued guidance to agencies on the website of the National Information Exchange Model, a joint DOJ-DHS program. The OMB document, which is not posted on its website, includes instructions for assessing the framework's merits by May 1.

"All agencies shall evaluate the adoption and use of the National Information Exchange Model as the basis . . . of reusable cross-boundary information exchanges," said an enclosed memo from Kshemendra Paul, the federal chief architect. "The Office of Management and Budget is working jointly with the NIEM Program Management Office to provide guidance and the tools necessary to help you meet this requirement."

OMB did not make the public aware of such plans to overhaul federal information exchange on its website, raising questions about a lack of transparency, as well as the security of the model, according to privacy advocates. OMB officials noted that the NIEM website is public and pointed out that other OMB requirements such as information security standards for the federal government also are posted on other agency sites.

Some privacy groups still have to review the specifications and therefore could not comment, while others urged the Obama administration to fully disclose security procedures if agencies proceed with NIEM. Security experts familiar with the information technology setup at Justice and DHS praised the integrity of the framework and the idea of rolling it out governmentwide.

NIEM launched in 2005 with the goal of linking jurisdictions throughout the country to better respond to crises, including terrorist attacks, natural disasters, large-scale crime and other emergencies handled by Justice and Homeland Security. The standards are intended to expedite the secure exchange of accurate information.

This winter, the Health and Human Services Department announced it will use NIEM as the foundation of a nationwide network for medical professionals to exchange patient data. Some in the health IT community expressed fears that if other agencies are using the same framework as doctors, the government could access private health information. HHS officials have emphasized that harmonizing standards for information exchange will not facilitate the transmission of medical records to law enforcement or intelligence agencies.

Lillie Coney, associate director at the Electronic Privacy Information Center, said securing the points where information is entered and retrieved is critical to ensuring privacy on a NIEM-based system. "Transparency is the key" to implementing systems and policies for sharing citizen information, she said. When asked why she thought OMB did not post the March guidance on its site, Coney said the president "outlined a very good open government policy on his first day in office," referring to a memo urging agency heads to use new technologies to advance government transparency, public-private collaboration and citizen engagement. But "EPIC has found, and so has other open government advocacy organizations, serious gaps between the policy and the actions of certain agencies."

OMB officials said they do not view the requirement that agencies evaluate NIEM as a policy change. Rather it is an implementation of existing policy on federal enterprise architecture, they said. Enterprise architecture is a roadmap for steering operational change that outlines how an agency functions today versus in the future.

Some cybersecurity specialists say agencies should coordinate how they share information based on the NIEM framework.

NIEM is the "most successful effort in terms of data exchange that I have seen," said John Gilligan, a former chief information officer for the Air Force and a member of the team that advised President Obama on IT policies before he took office. "This is something that's worth spending some time in trying to exploit."

Gilligan said NIEM is not focused specifically on protecting information, so controls to safeguard sensitive and private data would have to be incorporated separately. NIEM in and of itself would not be a security or privacy threat, but agencies must ensure that any controls they add are adequate, Gilligan said.

"We absolutely have to do a better job at information exchange and agencies should find a way to standardize -- so we don't let information slip through the cracks," said Gregory Garcia, who served under the Bush administration as the first DHS assistant secretary for cybersecurity and communications and now heads Garcia Strategies.

Garcia said building in safeguards to prevent abuses will be a challenge for agencies. "You can never fully safeguard what is considered an insider threat. But I don't think we should let that tail wag the dog. No system is failsafe and we have to proceed on that basis."

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download

When you download a report, your information may be shared with the underwriters of that document.