Social Media
Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate
GAO-11-605, Jun 28, 2011
Additional Materials:
Contact:
(202) 512-6244
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
Federal agencies increasingly use recently developed Internet technologies that allow individuals or groups to create, organize, comment on, and share online content. The use of these social media services-- including popular Web sites like Facebook, Twitter, and YouTube-- has been endorsed by President Obama and provides opportunities for agencies to more readily share information with and solicit feedback from the public. However, these services may also pose risks to the adequate protection of both personal and government information. GAO was asked to (1) describe how federal agencies are currently using commercially provided social media services and (2) determine the extent to which agencies have developed and implemented policies and procedures for managing and protecting information associated with this use. To do this, GAO examined the headquarters-level Facebook pages, Twitter accounts, and YouTube channels of 24 major federal agencies; reviewed pertinent policies, procedures, and guidance; and interviewed officials involved in agency use of social media..
Federal agencies have been adapting commercially provided social media technologies to support their missions. Specifically, GAO identified several distinct ways that 23 of 24 major agencies are using Facebook, Twitter, and YouTube. These include reposting information available on official agency Web sites, posting information not otherwise available on agency Web sites, soliciting comments from the public, responding to comments on posted content, and providing links to non-government sites. For example, agencies used Facebook to post pictures or descriptions of the activities of agency officials and to interact with the public. Agencies used Twitter to provide information in an abbreviated format and to direct the public back to official agency sites. YouTube was used to provide alternate means of accessing videos available on official agency sites, share videos of agency officials discussing topics of interest, or to solicit feedback from the public. The use of these services can pose challenges in managing and identifying records, protecting personal information, and ensuring the security of federal information and systems. However, the 23 major agencies that GAO identified as using social media have made mixed progress in developing and implementing policies and procedures to address these challenges: (1) Records management: 12 of the 23 agencies have developed and issued guidance that outlines processes and policies for identifying and managing records generated by their use of social media and record-keeping roles and responsibilities. (2) Privacy: 12 agencies have updated their privacy policies to describe whether they use personal information made available through social media, and 8 conducted and documented privacy impact assessments to identify potential privacy risks that may exist in using social media given the likelihood that personal information will be made available to the agency by the public. (3) Security: 7 agencies identified and documented security risks (such as the potential for an attacker to use social media to collect information and launch attacks against federal information systems) and mitigating controls associated with their use of social media. In several cases, agencies reported having policies in development to address these issues. In other cases, agencies reported that there was no need to have policies or procedures that specifically address the use of social media, since these are addressed in existing policies. However, social media technologies present unique challenges and risks, and without establishing guidance and assessing risks specific to social media, agencies cannot be assured that they are adequately meeting their responsibilities to manage and preserve federal records, protect the privacy of personal information, and secure federal systems and information against threats. GAO recommends that agencies ensure that appropriate records management, privacy, and security measures are in place. Most of the agencies agreed with GAO's recommendations. Three agencies did not agree with recommendations made to them; GAO maintains that the actions are necessary.
Status Legend:
Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
- In Process
- Open
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: To ensure that appropriate records management and privacy measures are in place when commercially provided social media services are used, the Secretary of Veterans Affairs should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.
Agency Affected: Department of Veterans Affairs
Status: Closed - Implemented
Comments: In September 2011, officials from the department provided a privacy impact assessment conducted for use of third-party websites and applications. After reviewing the privacy impact assessment, we confirmed that the privacy impact assessment evaluates potential privacy risks associated with agency use of social media services and identifies strategies to address them.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the Environmental Protection Agency should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.
Agency Affected: Environmental Protection Agency
Status: Closed - Implemented
Comments: In June 2011, we reported that the Environmental Protection Agency (EPA) had not assessed the impact their use of social media may have on their protection of personal information. We recommended to the Administrator of EPA that they conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them. In August 2011, we verified that EPA, in response to our recommendation, conducted and documented a privacy impact assessment for the agency?s use of social media services.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the Environmental Protection Agency should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
Agency Affected: Environmental Protection Agency
Status: Open
Comments: GAO received EPA's letter on October 17, 2011 stating that EPA will assess risks associated with commercially provided social media services it uses. Risks will be assessed by identifying associated threats and vulnerabilities and evaluating them against the likelihood of occurrence and adverse impact. The EPA will identify proper security controls that can be used to mitigate identified risks to an acceptable level. The EPA is still committed to completing the risk assessment by June 1,2012.
Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the General Services Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used.
Agency Affected: General Services Administration
Status: Open
Comments: In a letter to GAO dated September 30, 2011, GSA stated that it will ensure that GSA Order CPO 1878.2A (Conducting Privacy Impact Assessments (PIAs) in GSA) will be updated to address social media applications. The updated policy and procedures will address privacy issues in GSA information technology (IT) systems, online websites, and social media venues containing personal information about individuals, and will be completed by October 31, 2011. However, we have not received the necessary documentation.
Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the General Services Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.
Agency Affected: General Services Administration
Status: Open
Comments: In a letter to GAO dated September 30, 2011, GSA stated that the agency will ensure that a PIA for GSA's Facebook, Twitter and YouTube will be posted on GSA.gov with other GSA PIAs, and will be completed by October 31,2011. However, we have not received the necessary documentation.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used.
Agency Affected: National Aeronautics and Space Administration
Status: Open
Comments: The agency has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.
Agency Affected: National Aeronautics and Space Administration
Status: Open
Comments: The agency has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
Agency Affected: National Aeronautics and Space Administration
Status: Open
Comments: The agency has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Director of the National Science Foundation should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities.
Agency Affected: National Science Foundation
Status: Open
Comments: The agency has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Director of the National Science Foundation should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
Agency Affected: National Science Foundation
Status: Open
Comments: The agency has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Director of the Office of Personnel Management should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.
Agency Affected: Office of Personnel Management
Status: Open
Comments: In their initial response, officials from OPM stated that the recommendation will be implemented by February 2012.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Director of the Office of Personnel Management should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
Agency Affected: Office of Personnel Management
Status: Open
Comments: In their initial response, officials from OPM stated that the recommendation will be implemented by February 2012.
Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the Small Business Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.
Agency Affected: Small Business Administration
Status: Open
Comments: The agency has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Commissioner of the Social Security Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used.
Agency Affected: Social Security Administration
Status: Open
Comments: The agency has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Administrator of the U.S. Agency for International Development should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities.
Agency Affected: United States Agency for International Development
Status: Open
Comments: The agency has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Administrator of the U.S. Agency for International Development should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
Agency Affected: United States Agency for International Development
Status: Open
Comments: The agency has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate records management and privacy measures are in place when commercially provided social media services are used, the Secretary of Veterans Affairs should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities.
Agency Affected: Department of Veterans Affairs
Status: Closed - Implemented
Comments: In September 2011, officials provided updated records management guidance that was added to the department's social media policy. After reviewing this guidance, we confirmed that the department has included guidance in its social media policies that describes records management processes and policies and record keeping roles and responsibilities.
Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of the Treasury should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.
Agency Affected: Department of the Treasury
Status: Open
Comments: The department has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Transportation should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
Agency Affected: Department of Transportation
Status: Open
Comments: GAO received DOT's letter on November 1, 2011 stating that DOT is implementing processes to formally assess security risks associated with the use of social media and document decisions and rationale regarding their use. Risk tolerance decisions, including risk mitigation strategies, must be approved at a minimum by the Departmental Chief Technology Officer (CTO), the Chief Information Security Officer (CISO), and the Office of the General Counsel. Social media, which may introduce risks to individual privacy, must also be approved by the Departmental Chief Privacy Officer. The Department anticipates completing implementation before the end of FY 2012. Decisions regarding the use of social media will be accompanied by the identification of security controls that can mitigate threats, to the extent that such controls are available and appropriate.
Recommendation: To ensure that federal agencies have adequate guidance to determine the appropriate method for preserving federal records generated by content presented on agency social media sites, the Archivist of the United States should develop guidance on effectively capturing records from social media sites and that this guidance incorporate best practices.
Agency Affected: National Archives and Records Administration
Status: Open
Comments: The agency has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Agriculture should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.
Agency Affected: Department of Agriculture
Status: Open
Comments: On November 2011, GAO received USDA's Statement of Action. USDA anticipates that it will complete the enterprise social media PIA by November 30, 2011.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Commerce should update privacy policies to describe whether personally identifiable information (PII) made available through use of social media services is collected and used.
Agency Affected: Department of Commerce
Status: Open
Comments: In an initial response to the recommendation, department officials reported that they are in the process of updating the privacy policy on the main department Web site.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Commerce should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
Agency Affected: Department of Commerce
Status: Open
Comments: In their initial response, department officials reported that the department has yet to conduct a security risk assessment for its use of social media.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Defense should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: On September 29, 2011, GAO received DOD's Adapted Privacy Impact Assessment on Social Media (version date: August 11, 2011)
Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Education should update privacy policies to describe whether PII made available through use of social media services is collected and used.
Agency Affected: Department of Education
Status: Closed - Implemented
Comments: GAO received Education's letter dated September 19, 2011 stating that Education has updated their privacy policy to describe how the agency handles personally identifiable information. This letter also includes a link to the complete privacy policy on Education's website.
Recommendation: To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Energy should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
Agency Affected: Department of Energy
Status: Open
Comments: The department has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Health and Human Services should update privacy policies to describe whether PII made available through use of social media services is collected and used.
Agency Affected: Department of Health and Human Services
Status: Open
Comments: GAO received a letter on October 11, 2011 stating that the HHS Office of the Chief Information Officer (OCIO) and the Office of the Assistant Secretary for Public Affairs are collaborating on revised privacy policy language to describe whether personally identifiable information available through the use of social media services is collected and used. The HHS OCIO has entered this finding into its HHS Cybersecurity Program Plan of Action and Milestones with a planned remediation date of December 31, 2011.
Recommendation: To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Homeland Security should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
Agency Affected: Department of Homeland Security
Status: Open
Comments: The department has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Housing and Urban Development should conduct and document a security risk assessment to assess security threats associated with agency use of Twitter and YouTube and identify security controls that can be used to mitigate the identified threats.
Agency Affected: Department of Housing and Urban Development
Status: Closed - Implemented
Comments: In June 2011, we reported that the Department of Housing and Urban Development (HUD) had not documented assessments of security risks that social media can pose to federal information or systems in alignment with FISMA requirements. Accordingly, we recommended to the Secretary of HUD that the department conduct and document a security risk assessment to assess security threats associated with agency use of Twitter and YouTube and identify security controls that can be used to mitigate the identified threats. In August 2011, we verified that HUD conducted security risk assessments on the agency use of Twitter and YouTube and identified mitigating controls.
Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Labor should update privacy policies to describe whether PII made available through use of social media services is collected and used.
Agency Affected: Department of Labor
Status: Closed - Implemented
Comments: In June 2011, we reported that the Department of Labor (DOL) had not updated privacy policies to discuss the use of personally identifiable information (PII) made available through the department's use of social media. Accordingly, we recommended to the Secretary of Labor that the department update privacy policies to describe whether PII made available through use of social media services is collected and used. In September 2011, we verified that the department updated the privacy policy on its Web site to include discussion of its use of PII made available through social media.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of State should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of Twitter and YouTube and identifies protections to address them.
Agency Affected: Department of State
Status: Open
Comments: The department has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of State should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
Agency Affected: Department of State
Status: Open
Comments: The department has yet to provide an update to this recommendation.
Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Transportation should update privacy policies to describe whether PII made available through use of social media services is collected and used.
Agency Affected: Department of Transportation
Status: Open
Comments: GAO received DOT's letter on November 1, 2011 stating that DOT third-party web-based interactive technologies must follow the privacy policies outlined in DOT Orders. This includes complying with requirements to collect information necessary, and to conduct an adapted Privacy Impact Assessment (PIA), as outlined by OMB.1 DOT will complete the latest update to its Privacy Policy which will include additional specificity relating to the recommended actions before the end of fiscal year (FY) 2012.