The Department of Homeland Security (DHS) integrates privacy protections into our cybersecurity operations through the DHS Privacy Office and the Component privacy offices. The National Protection and Programs Directorate (NPPD) manages our risk-reduction mission, which includes the protection of physical and cyber infrastructure.
This factsheet summarizes the nexus between privacy and cybersecurity at DHS. (PDF, 2 pages - 119 KB)
In 2008, DHS issued a policy declaring the eight Fair Information Practice Principles (FIPPs) (PDF, 4 pages - 101 KB) as the foundation and guiding principles of the Department’s privacy program:
- Individual Participation
- Purpose Specification
- Data Minimization
- Use Limitation
- Data Quality and Integrity
- Accountability and Auditing
The FIPPs were formed from the foundations of the Privacy Act of 1974, and memorialized in the National Strategy for Trusted Identities in Cyberspace. On February 12, 2013, the President signed an Executive Order on Improving Critical Infrastructure Cybersecurity (Executive Order) (learn more about the White House’s ongoing cybersecurity policies). Section 5 of the Executive Order directs the DHS Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties to issue an annual report using the FIPPs to assess the Department’s cyber operations under the Executive Order. As Deputy Attorney General James M. Cole explained during the public presentation of the Executive Order, the FIPPs are “time-tested and universally recognized principles that form the basis of the Privacy Act of 1974 and dozens of other federal privacy and information protection statutes.”
The Executive Order also directs the senior agency privacy and civil liberties officials of other agencies engaged in activities under the order to conduct their own assessments for inclusion in the DHS public report. In 2010, DHS issued a White Paper on Computer Network Security & Privacy Protection (PDF, 11 pages - 114 KB) to provide an overview of the Department's cybersecurity responsibilities, the role of the EINSTEIN system in implementing those responsibilities, and the integrated privacy protections.
Executive Order 13636, Improving Critical Infrastructure Cybersecurity, requires that senior agency officials for privacy and civil liberties assess the privacy and civil liberties impacts of the activities their respective departments and agencies have undertaken to implement the Executive Order, and to publish their assessments annually in a report compiled by the DHS Privacy Office and Office for Civil Rights and Civil Liberties. This is the first of the required annual reports. It includes the DHS Privacy Office’s and Office for Civil Rights and Civil Liberties’ assessments of certain DHS activities under Section 4 of the Executive Order (enhanced threat information sharing with the private sector) as well as assessments conducted independently by the Department of the Treasury and the Departments of Defense, Justice, Commerce, Health and Human Services, Transportation, and Energy, and by the Office of the Director of National Intelligence and the General Services Administration.
- Executive Order 13636 Privacy and Civil Liberties Assessment Report, April 2014, PDF, 152 pages.
Privacy and Civil Liberties Oversight Board Consultation
The Executive Order directs the DHS Privacy Office and Office for Civil Rights and Civil Liberties to consult with the Privacy and Civil Liberties Oversight Board (Board) in producing the annual Privacy and Civil Liberties Assessment Report. The Board reviewed the draft 2014 report and provided comments to DHS. Their letter and responses from DHS and the Department of Justice (DOJ) are posted below:
- Letter from the Privacy & Civil Liberties Oversight Board to DHS, March 21, 2014, PDF, 7 pages.
Privacy Impact Assessments
DHS/NPPD/PIA-027 EINSTEIN 3 Accelerated (E3A), April 19, 2013 (PDF, 260 KB, 27 pages). DHS’ Office of Cybersecurity and Communications (CS&C) continues to improve its ability to defend federal civilian Executive Branch agency networks from cyber threats. Similar to EINSTEIN 1 and EINSTEIN 2, DHS deployed E3A to enhance cybersecurity analysis, situational awareness, and security response. With E3A, DHS will not only be able to detect malicious traffic targeting Federal Government networks, but also prevent malicious traffic from harming those networks. This is accomplished through delivering intrusion prevention capabilities as a Managed Security Service provided by Internet Service Providers (ISP). Under the direction of DHS, ISPs will administer intrusion prevention and threat-based decision-making on network traffic entering and leaving participating federal civilian Executive Branch agency networks. This PIA was conducted because E3A includes analysis of federal network traffic, which may contain PII.
DHS/NPPD/PIA-028 Enhanced Cybersecurity Services (ECS), January 16, 2013, (PDF 22 pages, 4.3 MB). ECS is a voluntary program based on the sharing of indicators of malicious cyber activity between DHS and participating Commercial Service Providers. The program assists owners and operators of critical infrastructure to enhance the protection of their systems from unauthorized access, exploitation, or data exfiltration through a voluntary information sharing program. ECS consists of the operational processes and security oversight required to share unclassified and classified cyber threat indicators with companies that provide internet, network, and communication services to enable those companies to enhance their services to protect U.S. Critical Infrastructure entities. ECS is intended to support U.S. Critical Infrastructure, however, pending deployment of EINSTEIN intrusion prevention capabilities, ECS may also be used to provide equivalent protection to participating Federal civilian Executive Branch agencies. NPPD conducted this PIA because PII may be collected.
DHS/NPPD/PIA-026 National Cybersecurity Protection System (NCPS), July 30, 2012 (PDF, 37 Pages – 7.91MB). NCPS is an integrated system for intrusion detection, analysis, intrusion prevention, and information sharing capabilities that are used to defend the federal civilian government’s information technology infrastructure from cyber threats. The NCPS includes the hardware, software, supporting processes, training, and services that are developed and acquired to support its mission. NPPD conducted this PIA because personally identifiable information (PII) may be collected by the NCPS, or through submissions of known or suspected cyber threats received by the United States–Computer Emergency Readiness Team (US-CERT) for analysis.
DHS/NPPD/PIA-008 EINSTEIN 2, May 19, 2008 (PDF, 23 pages - 423 KB). The original PIA for EINSTEIN 1, dated September 2004, explained that EINSTEIN 1 analyzes network flow information from participating federal civilian Executive Branch agencies networks and provides a high-level perspective from which to observe potential malicious activity in computer network traffic of participating agencies' computer networks. The updated version, EINSTEIN 2, incorporates network intrusion detection technology capable of alerting US-CERT to the presence of malicious or potentially harmful computer network activity in federal civilian Executive Branch agency network traffic. EINSTEIN 2 principally relies on commercially available intrusion detection capabilities to increase the situational awareness of the US-CERT.
DHS/NPPD/PIA-001 The EINSTEIN Program, September 2004 (PDF, 12 pages - 153 KB) EINSTEIN provides US-CERT with a situational awareness snapshot of the health of the federal governments' cyber space. Based upon agreements with participating federal agencies, US-CERT installs systems at their Internet access points to collect network flow data. The agencies are provided tools to analyze their collected data. In addition, the data is shared with US-CERT Security Operations Center, which aggregates it from all EINSTEIN participants to identify network anomalies spanning the Federal Government.
Retired Privacy Impact Assessments
- DHS/NPPD/PIA-014 US-CERT: Initiative Three Exercise, March 18, 2010 (PDF 19 pages, 443 KB).
- DHS/NPPD/PIA-013 EINSTEIN 1: Michigan Proof of Concept February 19, 2010 (PDF, 12 pages - 194 KB).
DHS/NPPD/PIA-021(a) Joint Cybersecurity Services Program (JCSP), Defense Industrial Base (DIB) – Enhanced Cybersecurity Services (DECS), July 18, 2012 (PDF, 9 pages,1.7MB)
DHS/NPPD/PIA-021 National Cyber Security Division Joint Cybersecurity Services Pilot (JCSP), January 13, 2012 (PDF, 16pages – 248 KB).
Privacy Compliance Reviews
Privacy Compliance Review of the EINSTEIN Program, January 3, 2012 (PDF, 9 pages - 112 KB). NPPD launched the EINSTEIN program in 2004 as a computer network intrusion detection system to help protect federal civilian Executive Branch agency information technology enterprises. NPPD conducted PIAs for each phase of the EINSTEIN program, which the DHS Privacy Office reviewed and approved. As NPPD looked ahead toward the next phase of the program, including intrusion prevention services, the DHS Privacy Office determined that conducting a Privacy Compliance Review (PCR) would be timely to ensure the accuracy of compliance documentation and transparency of the EINSTEIN program moving forward. The DHS Privacy Office found NPPD generally compliant with the requirements outlined in both the EINSTEIN 2 PIA and the Initiative 3 Exercise PIA.
DPIAC Recommendations Paper 2012-01, November 7, 2012 (PDF 4 MB, 16 pages), sets forth recommendations for DHS to consider when evaluating the effectiveness of cybersecurity pilots, and for specific privacy protections DHS can consider when sharing information from a cybersecurity pilot with other agencies.