A privacy impact assessment of the Continuous Diagnostics and Mitigation (CDM) program’s Shared Service Platform has raised no big privacy concerns, according to a report dated Dec. 19, 2019, and reviewed by the Department of Homeland Security’s (DHS) Acting Chief Privacy Officer.
The Shared Services Platform makes CDM program capabilities available to non-CFO Act Federal agencies – typically smaller and/or independent agencies with limited or shared technological and personnel resources. The platform is provided to the non-CFO Act agencies through a third-party contractor to DHS’s Cybersecurity and Infrastructure Security Agency (CISA) component that connects agency networks to the cloud-based Shared Service Platform.
The privacy impact assessment focuses in part on privacy risks related to that third-party arrangement, and the assessment finds there is a risk that personally identifiable information (PII) inadvertently obtained by the third-party system integrator via the Shared Service Platform could be used inappropriately.
But it also says that risk is mitigated by restrictions from using information, including PII, not directly related to its deployment of the Shared Service Platform for purposes beyond those specified by CISA.
“As a contractor to CISA, the integrator is required to conduct its activities in accordance with DHS requirements, including having all contract staff complete privacy training,” the assessment says.
“Full disk encryption has been implemented across the entire shared service platform to meet applicable data-at-rest requirements. Additionally, all operational components of the shared service collect all logs at the operating system and application levels, including but not limited to, authentication, policy changes, permissions changes, and administrative changes. All users of the shared service (privileged and unprivileged) have been denied the ability to erase audit logs,” the assessment says.