Information Management: Agencies Need to Streamline Electronic Services
Fast Facts
Federal agencies must obtain written consent from individuals before disclosing their personal information. The Office of Management and Budget issued guidance that outlined agencies' responsibilities for accepting digital access and consent forms. Agencies were to implement the requirements in this guidance by November 2021.
We found that, as of August 2022, only 1 of the 17 agencies that we reviewed had done so (the Securities and Exchange Commission). The others faced technical issues and competing priorities that have caused delays.
We recommended that agencies establish reasonable time frames for fully implementing OMB's guidance.
Highlights
What GAO Found
With certain enumerated exceptions, the Privacy Act of 1974 prohibits disclosure of records to any person or agency, unless disclosure is pursuant to the prior written request by, or with the prior written consent of, the individual to whom the record pertains. As required by the Creating Advanced Streamlined Electronic Services for Constituents Act of 2019, the Office of Management and Budget (OMB) issued guidance that outlined agencies' responsibilities for accepting digitally-formatted access and consent forms from individuals who are properly identity proofed and authenticated. Agencies were to implement the requirements in the OMB guidance by November 2021. As of September 2022, one of the selected agencies—the Securities and Exchange Commission (SEC)—reported that they had fully implemented OMB's guidance. The remaining 16 agencies reported encountering technical challenges and competing priorities that have delayed them from fully implementing OMB's guidance. However, five of these agencies have established time frames for full implementation. Sharing information on SEC's success could benefit other agencies' efforts to implement OMB's requirements.
Why GAO Did This Study
The Privacy Act prohibits disclosure of records to any person or agency, unless disclosure is pursuant to the prior written request by, or with the prior written consent of, the individual to whom the record pertains. Accordingly, agencies have developed various procedures and forms by which individuals may establish their identity and request access to or provide written consent for the disclosure of their records.
To simplify and modernize this process, the CASES Act required OMB to issue applicable guidance. This guidance was to: (1) require agencies to accept electronic identity proofing and authentication; (2) create a template for electronic consent and access forms and requires each agency to post the template on the agency website; and (3) require each agency to accept electronic consent and access forms from individuals that have been properly identity proofed and authenticated.
GAO was asked to review the implementation of the CASES Act at OMB and federal agencies. GAO selected 17 agencies for review that had received 5,000 or more Freedom of Information Act requests in fiscal year 2020.
Recommendations
GAO is making a total of 12 recommendations, one to OMB to facilitate information sharing among agencies, and one to each of 11 agencies to establish reasonable time frames for fully implementing OMB guidance. Seven agencies concurred with our recommendations, while four agencies and OMB either generally agreed or did not state whether they agreed or disagreed with our recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | The Director of the Office of Management and Budget should take steps to promote, through mechanisms such as the Federal Privacy Council and Chief Information Officers Council, sharing of information and lessons learned to help agencies implement the requirements of the CASES Act; this could include SEC sharing information on overcoming challenges and identifying lessons learned. (Recommendation 1) |
Open
As of May 2023, OMB has not yet provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
|
| Department of Defense | The Secretary of Defense should establish a reasonable time frame for when the Department of Defense will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 2) |
Open
As of May 2023, DOD has not yet provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should establish a reasonable time frame for when the Department of Health and Human Services will be able to digitally accept access and consent forms from individuals who were properly identity proofed and authenticated and post access and consent forms on the department's privacy program website. (Recommendation 3) |
Open
As of June 2023, HHS reported that it receives approximately 15,000 first-party request per year, 90% of which are received by the Centers for Medicare and Medicaid Services (CMS). In addition, the department noted that CMS added functionality to an existing electronic processing platform in September 2022 to allow users to choose between Login.gov and ID.me for digital proofing. The electronic processing platform is expected to permit CMS to accept remote identity proofing and authentication from individuals requesting access to their records. HHS also described its ongoing efforts towards being fully compliant with the CASES ACT and the Office of Management and Budget implementation guidance (M-21-04), but the department has not yet established a time frame for completion.
|
| Department of the Interior | The Secretary of Interior should establish a reasonable time frame for when the Department of the Interior will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 4) |
Open
As of May 2023, DOI has not yet provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
|
| Department of Justice | The Attorney General should establish a reasonable time frame for when the Department of Justice will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 5) |
Open
As of June 2023, Justice noted that any solution to implement remote identity proofing with authentication consistent with the CASES ACT and the Office of Management and Budget implementation guidance (M-21-04) must meet NIST's technical standard known as "Identity Assurance Level 2" (IAL2). In addition, the Department stated that they had been exploring acquiring the remote identity proofing services known as Login.gov offered by the General Services Administration (GSA), as a means of complying with the requirements of the CASES Act and M-21-04. Further, Justice stated the concerns identified in the GSA Inspector General report have contributed to challenges that the Department has faced in finding a solution to facilitate CASES Act compliance.
|
| Department of Transportation | The Secretary of Transportation should establish a reasonable time frame for when the Department of Transportation will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 6) |
Open
As of May 2023, DOT has not yet provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
|
| Department of the Treasury | The Secretary of Treasury should establish a reasonable time frame for when the Department of the Treasury will be able to digitally accept access and consent forms from individuals who were properly identity proofed and authenticated and post access and consent forms on the department's privacy program website. (Recommendation 7) |
Open
As of June 2023, Treasury reported that it is exploring options for an authentication solution that includes an option for Multi-Factor Authentication Phishing Resistance. The Treasury will update GAO once they have a timeframe for implementation.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should establish a reasonable time frame for when the Department of Veterans Affairs will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 8) |
Open
As of June 2023, the VA's Office of Information and Technology (OIT) stood-up a focused team to explore solutions, develop a plan with milestones, establish level of effort, requirements, estimated costs, and a time frame for compliance. VA stated that within the next 90-days, the focused team responsible for addressing compliance with the CASES ACT and the Office of Management and Budget implementation guidance (M-21-04) will refine the plan based on the selected solution. OIT will provide an updated response to GAO, to include a detailed plan with milestones by July 31, 2023.
|
| Equal Employment Opportunity Commission | The Chair of the Equal Employment Opportunity Commission should establish a reasonable time frame for accepting remote identity proofing with authentication, digitally accepting access and consent forms from individuals who were properly identity proofed and authenticated, and posting access and consent forms on the agency's privacy program website. (Recommendation 9) |
Open
As of June 2023, EEOC stated it has finalized plans to use the agency's FOIA portal vendor to route Privacy Act requesters through Login.gov to accept online access and consent forms from individuals who have been identity proofed and authenticated. In addition, this initiative is in the acquisition phase with planned delivery during the second quarter of Fiscal Year 2024.
|
| National Archives and Records Administration | The Archivist of the United States should establish a reasonable time frame for when the National Archives and Records Administration will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the agency's privacy program website. (Recommendation 10) |
Open
As of May 2023, NARA has not yet provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
|
| Office of Personnel Management | The Director of the Office of Personnel Management should establish a reasonable time frame for when the agency will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the agency's privacy program website. (Recommendation 11) |
Open
As of May 2023, OPM has not yet provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
|
| Social Security Administration | The Commissioner of the Social Security Administration should establish a reasonable time frame for when the agency will post access and consent forms on the agency's privacy program website. (Recommendation 12) |
Open
As of June 2023, the Social Security Administration expects to post an electronic consent form that complies with the Creating Advanced Streamlined Electronic Services for Constituents ACT of 2019 and Office of Management and Budget memorandum M-21-04 to their website by September 30, 2023. Lastly, SSA anticipates posting a compliant access form to their website in fiscal year 2025.
|