The Department of Homeland Security (DHS) empowers its programs to succeed by integrating privacy protections from the outset. The DHS Privacy Office is the first statutorily mandated privacy office in the Federal Government, and serves a unique role as both an advisor and oversight body for the Department.
DHS views privacy as more than just compliance with privacy laws. Privacy at DHS is also about public trust and confidence, and how the government acts responsibly and transparently in the way it collects, maintains, and uses personally identifiable information (PII).
DHS employs a layered approach to privacy oversight for the Department’s cybersecurity activities. The process starts with the Chief Privacy Officer, and extends through the Cybersecurity and Infrastructure Security Agency (CISA)'s Component Privacy Officer, and dedicated privacy staff across the Department.
- This fact sheet summarizes the nexus between privacy and cybersecurity at DHS.
Fair Information Practice Principles (FIPPs)
In 2008, DHS issued a policy declaring the eight Fair Information Practice Principles (FIPPs). The FIPPs govern the appropriate use of PII at the Department and serve as the foundation of all privacy-related policies and activities at DHS. DHS uses the FIPPs to assess the nature and purpose of all PII collected by the Department to ensure it is necessary to preserve, protect, and secure the homeland. DHS applies the FIPPs to the full breadth and diversity of Department systems, programs, and initiatives that use PII, or are otherwise privacy-sensitive, including the Department’s cybersecurity activities.
Executive Order 13636 & 13691 Assessment Reports
Executive Order 13636, Improving Critical Infrastructure Cybersecurity, and Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience, issued on February 12, 2013, require federal agencies to develop and incentivize participation in a technology-neutral cybersecurity framework, and to increase the volume, timeliness, and quality of the cyber threat information they share with the private sector.
Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing, issued on February 13, 2015, further acknowledges that organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. This Executive Order encourages the formation of such information sharing organizations, establishes mechanisms to improve their capabilities, and enables them to better partner with the Federal Government on a voluntary basis.
Section 5 of both Executive Orders requires that federal agencies coordinate with their respective senior agency privacy and civil liberties officials (“Senior Officials”) to ensure that appropriate protections for privacy and civil liberties are incorporated into any activities conducted under the Executive Orders. The Senior Officials are also required to annually assess and report upon the privacy and civil liberties impacts of their respective agencies’ activities undertaken pursuant to each Executive Order. The Senior Officials must submit those assessments to the Department of Homeland Security (DHS) Office for Civil Rights and Civil Liberties and the DHS Privacy Office for inclusion in the Privacy and Civil Liberties Assessment reports provided below:
- 2018 Executive Order 13636 & 13691 Privacy & Civil Liberties Assessment Report, November 2018
- 2017 Executive Order 13636 Privacy and Civil Liberties Assessment Report, January 2018
- 2016 Executive Order 13636 Privacy and Civil Liberties Assessment Report, July 14, 2016
- 2015 Executive Order 13636 Privacy and Civil Liberties Assessment Report, April 10, 2015
- 2014 Executive Order 13636 Privacy and Civil Liberties Assessment Report, April 2014
- Letter from the Privacy & Civil Liberties Oversight Board to DHS, March 21, 2014
Cyber-Related Privacy Impact Assessments
The PIAs listed below can be found on the NPPD PIA page under Cybersecurity-Related Privacy Impact Assessments.
- DHS/NPPD/PIA-030 – Continuous Diagnostics and Mitigation (CDM)
- DHS/NPPD/PIA-029 – Automated Indicator Sharing (AIS)
- DHS/NPPD/PIA-028 – Enhanced Cybersecurity Services (ECS)
- DHS/NPPD/PIA-027 – EINSTEIN 3 Accelerated (E3A)
- DHS/NPPD/PIA-026 – National Cybersecurity Protection System (NCPS)
- DHS/NPPD/PIA-008 – EINSTEIN 2 (E2)
- DHS/NPPD/PIA-001 – EINSTEIN
- Retired Cyber-Related Privacy Impact Assessments