The Department of Homeland Security (DHS) empowers its programs to succeed by integrating privacy protections from the outset. The DHS Privacy Office is the first statutorily mandated privacy office in the Federal Government and serves a unique role as both an advisor and oversight body for the department.
DHS views privacy as more than just compliance with privacy laws. Privacy at DHS is also about public trust and confidence. It’s about how the government acts responsibly and transparently in the way it collects, maintains, and uses personally identifiable information.
DHS employs a layered approach to privacy oversight for the department’s cybersecurity activities. It starts with the Chief Privacy Officer and extends through the National Protection and Programs Directorate (NPPD)’s Component Privacy Officer, the Director of Privacy Technology, and dedicated privacy staff across the department.
This fact sheet summarizes the nexus between privacy and cybersecurity at DHS.
Fair Information Practice Principles (FIPPs)
In 2008, DHS issued a policy declaring the eight Fair Information Practice Principles (FIPPs) as the foundation and guiding principles of the Department’s privacy program:
- Individual Participation
- Purpose Specification
- Data Minimization
- Use Limitation
- Data Quality and Integrity
- Accountability and Auditing
The FIPPs were formed from the foundations of the Privacy Act of 1974, and memorialized in the National Strategy for Trusted Identities in Cyberspace. On February 12, 2013, the President signed an Executive Order on Improving Critical Infrastructure Cybersecurity (Executive Order) (learn more about the White House’s ongoing cybersecurity policies). Section 5 of the Executive Order directs the DHS Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties to issue an annual report using the FIPPs to assess the Department’s cyber operations under the Executive Order. As Deputy Attorney General James M. Cole explained during the public presentation of the Executive Order, the FIPPs are “time-tested and universally recognized principles that form the basis of the Privacy Act of 1974 and dozens of other federal privacy and information protection statutes.”
The Executive Order also directs the senior agency privacy and civil liberties officials of other agencies engaged in activities under the order to conduct their own assessments for inclusion in the DHS public report. In 2010, DHS issued a White Paper on Computer Network Security & Privacy Protection to provide an overview of the Department's cybersecurity responsibilities, the role of the EINSTEIN system in implementing those responsibilities, and the integrated privacy protections.
Executive Order 13636 Assessment Reports
Executive Order 13636, Improving Critical Infrastructure Cybersecurity, requires that senior agency officials for privacy and civil liberties assess the privacy and civil liberties impacts of the activities their respective departments and agencies have undertaken to implement the Executive Order, and to publish their assessments annually in a report compiled by the DHS Privacy Office and Office for Civil Rights and Civil Liberties.
- 2014 Executive Order 13636 Privacy and Civil Liberties Assessment Report, April 2014.
- Letter from the Privacy & Civil Liberties Oversight Board to DHS, March 21, 2014.
Privacy Impact Assessments
DHS/NPPD/PIA-027 EINSTEIN 3 Accelerated (E3A), April 19, 2013. DHS’ Office of Cybersecurity and Communications (CS&C) continues to improve its ability to defend federal civilian Executive Branch agency networks from cyber threats. Similar to EINSTEIN 1 and EINSTEIN 2, DHS deployed E3A to enhance cybersecurity analysis, situational awareness, and security response. With E3A, DHS will not only be able to detect malicious traffic targeting Federal Government networks, but also prevent malicious traffic from harming those networks. This is accomplished through delivering intrusion prevention capabilities as a Managed Security Service provided by Internet Service Providers (ISP). Under the direction of DHS, ISPs will administer intrusion prevention and threat-based decision-making on network traffic entering and leaving participating federal civilian Executive Branch agency networks. This PIA was conducted because E3A includes analysis of federal network traffic, which may contain PII.
DHS/NPPD/PIA-028 Enhanced Cybersecurity Services (ECS), January 16, 2013. ECS is a voluntary program based on the sharing of indicators of malicious cyber activity between DHS and participating Commercial Service Providers. The program assists owners and operators of critical infrastructure to enhance the protection of their systems from unauthorized access, exploitation, or data exfiltration through a voluntary information sharing program. ECS consists of the operational processes and security oversight required to share unclassified and classified cyber threat indicators with companies that provide internet, network, and communication services to enable those companies to enhance their services to protect U.S. Critical Infrastructure entities. ECS is intended to support U.S. Critical Infrastructure, however, pending deployment of EINSTEIN intrusion prevention capabilities, ECS may also be used to provide equivalent protection to participating Federal civilian Executive Branch agencies. NPPD conducted this PIA because PII may be collected.
DHS/NPPD/PIA-026 National Cybersecurity Protection System (NCPS), July 30, 2012. NCPS is an integrated system for intrusion detection, analysis, intrusion prevention, and information sharing capabilities that are used to defend the federal civilian government’s information technology infrastructure from cyber threats. The NCPS includes the hardware, software, supporting processes, training, and services that are developed and acquired to support its mission. NPPD conducted this PIA because personally identifiable information (PII) may be collected by the NCPS, or through submissions of known or suspected cyber threats received by the United States–Computer Emergency Readiness Team (US-CERT) for analysis.
DHS/NPPD/PIA-008 EINSTEIN 2, May 19, 2008. The original PIA for EINSTEIN 1, dated September 2004, explained that EINSTEIN 1 analyzes network flow information from participating federal civilian Executive Branch agencies networks and provides a high-level perspective from which to observe potential malicious activity in computer network traffic of participating agencies' computer networks. The updated version, EINSTEIN 2, incorporates network intrusion detection technology capable of alerting US-CERT to the presence of malicious or potentially harmful computer network activity in federal civilian Executive Branch agency network traffic. EINSTEIN 2 principally relies on commercially available intrusion detection capabilities to increase the situational awareness of the US-CERT.
DHS/NPPD/PIA-001 The EINSTEIN Program, September 2004. EINSTEIN provides US-CERT with a situational awareness snapshot of the health of the federal governments' cyber space. Based upon agreements with participating federal agencies, US-CERT installs systems at their Internet access points to collect network flow data. The agencies are provided tools to analyze their collected data. In addition, the data is shared with US-CERT Security Operations Center, which aggregates it from all EINSTEIN participants to identify network anomalies spanning the Federal Government.
Privacy Compliance Reviews
Privacy Compliance Review of the EINSTEIN Program, January 3, 2012. NPPD launched the EINSTEIN program in 2004 as a computer network intrusion detection system to help protect federal civilian Executive Branch agency information technology enterprises. NPPD conducted PIAs for each phase of the EINSTEIN program, which the DHS Privacy Office reviewed and approved. As NPPD looked ahead toward the next phase of the program, including intrusion prevention services, the DHS Privacy Office determined that conducting a Privacy Compliance Review (PCR) would be timely to ensure the accuracy of compliance documentation and transparency of the EINSTEIN program moving forward. The DHS Privacy Office found NPPD generally compliant with the requirements outlined in both the EINSTEIN 2 PIA and the Initiative 3 Exercise PIA.
DPIAC Recommendations Paper 2012-01, November 7, 2012. sets forth recommendations for DHS to consider when evaluating the effectiveness of cybersecurity pilots, and for specific privacy protections DHS can consider when sharing information from a cybersecurity pilot with other agencies.