It’s a common refrain for many reports from the Government Accountability Office (GAO), “Progress Made, Challenges Remain.” As privacy risk management is a relatively new topic for most federal agencies to account for, it’s not surprising that challenges remain when it comes to embedding it into federal privacy programs. Last month Cyberscoop published an article highlighting findings from a year-old GAO report on privacy programs at 24 federal agencies. While the report didn’t make big headlines at the time of its publication, the Cyberscoop article’s timing is pretty consistent with the pace of privacy making its way into the enterprise risk discussion.

The 2022 GAO report demonstrates federal privacy programs are keeping on top of their compliance obligations - mostly governed by the Privacy Act of 1974 and Section 208 of the E-Government Act -- requiring agencies to conduct Privacy Impact Assessments (PIAs). Coordination between privacy and other programs or functions such as information security, IT budget and acquisition, as well as incident response was not as strong as compliance but mostly addressed. Not surprisingly, federal agencies were falling behind in privacy risk management. Given the integration of privacy into traditionally security-focused guidance from the National Institute of Standards and Technology (NIST) over the past 15 years, these findings are not surprising.

In 2010, aside from controls protecting the confidentiality of data, a shared privacy and security interest, there was a single control in NIST signature Special Publication 800-53 for conducting PIAs (“PL-5” for the privacy nerds out there). The title of the publication was “Security Controls for Federal Information Systems.”

Fast forward to 2013 and privacy starts making a splash in 800-53 Rev 4 with the addition of Appendix J, a set of Fair Information Practice Principle based privacy controls. Privacy also breaks its way into the main title of the publication now called “Security and Privacy Controls for Federal Information Systems and Organizations.” Seven years later in 2020, the most recent revision of SP 800-53, Revision 5 was published and reflects  privacy controls that are no longer relegated to an appendix.

Integrating these controls requires considerable collaboration between security and privacy programs, and the GAO findings reflect this trend. Privacy risk management concepts and requirements are relatively “new” in the history of federal privacy programs, first appearing in the Office of Management and Budget’s overhaul of A-130 in 2017 and followed by a significant update to the NIST Risk Management Framework, SP 800-37 in 2018 which included privacy for the first time.

If a similar review was conducted 10 years ago, it would look quite different. For starters, the primary focus would  be on Privacy Act compliance, as  the PIA requirement would still be relatively “new” with uneven results. The concept of privacy risk management wouldn’t have even been a part of study. So even though there’s room for improvement, progress has been made.

Fortunately, there are more tools available to organizations regardless of sector or size, including the newest resource published in 2020 - the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.

Looking ahead, let’s hope federal agency privacy programs can overcome challenges to bring privacy risk management on par with other enterprise risks and change the short title of the future GAO report to “Federal Privacy Programs Crushing it at Privacy.”