Digital.gov Guide

Building by the rules: A crash course for federal technologists

A guide for web and digital practitioners on why public policy matters.
Illustration of a female lawyer, wooden gavel and block, scales of justice, and legal document.

Privacy and security

Public policy influences technology projects as a force both for and against change.

Reading time: 3 minutes

In the previous section, we touched on Section 508 of the Rehabilitation Act of 1973 and the importance of building accessible digital products and federal resources. Now, we will cover how the Privacy Act of 1974 and the Federal Information Security Modernization Act (FISMA) work and share resources to learn more.

Note

This information is best practices based on our own experience. We encourage you to get in touch with your agency’s privacy official and Chief Information Security Officer (CISO) to answer any specific privacy- and security-related questions.

What is the Privacy Act?

The Privacy Act respects the public’s privacy by limiting government use, reuse, and disclosure of personally identifiable information (PII). Specifically it outlines the following:

  • Requires agencies to give public notice about record-keeping systems
  • Establishes fair information practices for managing data
  • Limits agencies’ ability to share data
  • Grants the public access to their own records

The following items illustrate some things you can do to respect the public’s privacy:

  • Tell users what information you are collecting from them, and why
  • Minimize collecting information where possible; consider public burden
  • Conduct Privacy Impact Assessments (PIAs) for systems with PII
  • For agency information exchanges – consider pursuing a Computer Matching Agreement
  • Agencies must publish notice of its systems of records (also known as System of Records Notice or SORN) in the Federal Register
  • Abide by agency and federal disclosure rules
  • Consider the Health Insurance Portability and Accountability Act (HIPAA) implications if applicable

Visit Justice.gov to learn more about the Privacy Act of 1974. You may also visit your agency website. For example, the Department of Health and Human Services (HHS) publishes agency-specific Privacy Act information on HHS.gov.

What is FISMA?

The Federal Information Security Modernization Act requires agencies to protect federal information by:

  • Creating a cybersecurity plans
  • Conducting regular risk assessments
  • Implementing cybersecurity controls
  • Continuously monitoring their systems for vulnerabilities and attacks

For more information, see the Centers for Medicare and Medicaid Services’ helpful one-pager on FISMA.

To use, buy, or build software for the government, you need an authorization to operate (ATO). This process mostly comes from FISMA. For an overview of ATOs, read An introduction to ATOs.

Federal security compliance is based on evaluating security criteria. Those criteria are a wide-ranging set of considerations called controls. The National Institute for Standards and Technology (NIST) defines these controls in a special publication (SP) called NIST SP 800-53 (Revision 5), Security and Privacy Controls for Information Systems and Organizations. Read An introduction to security and privacy controls for a brief explainer of NIST’s 800-53 control families for information systems and organizations.

The Federal Risk and Authorization Management Program (FedRAMP) is a governmentwide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services. Visit FedRAMP.gov to learn more about the FedRAMP program basics.

Case study

Considering privacy and security for FindSupport.gov

For context, we cover these two policies to highlight their importance. Although FindSupport.gov did not go through all the steps listed above, the team maintained awareness for how such policies could impact product development.

The FindSupport.gov team used SAMHSA’s existing content management system, removing the requirement for the team to seek a new ATO. Additionally, all user research sessions required asking for verbal and written consent from participants, and using approved tools to store research and de-identified participant information.