E-Government Act of 2002
Pub.L. 107-347, 44 U.S.C. § 101
Congress found that the use of computers and the Internet was profoundly changing the relationships “among citizens, private businesses and Government” and that “Federal Government has had uneven success in applying advances in information technology to enhance governmental functions and services.” To remedy this perceived inadequacy, Congress passed the E-Government Act to “promote the use of the Internet and electronic government services,” “to make the Federal Government more transparent and accountable,” as well as “to provide enhanced access to Government information and services in a manner consistent with laws regarding protection of personal privacy, national security, records retention, access for persons with disabilities, and other relevant laws.”
Section 208 of this law requires that all federal agencies conduct a “privacy impact assessment” (PIA) for all new or substantially changed technology that collects, maintains, or disseminates personally identifiable information (PII), or for a new aggregation of information that is collected, maintained, or disseminated using information technology. The Department of Homeland Security’s (DHS) Privacy Office has conducted a Privacy Impact Assessment (PIA) of the DHS State, Local and Tribal Fusion Center Initiative (42 pp. PDF).
The White House operates a webpage devoted to the E-Government Act of 2002. In addition, the Office of Management and Budget (OMB) issued guidance on how the E-Government Act should be implemented, OMB Memorandum M-03-22. The guidance in Appendix A is particularly helpful, with a summary of key definitions and guidance on when to conduct a PIA.
Federal Information Security Management Act
(FISMA), (72 pp. PDF)
Background. FISMA was enacted as part of the E-Government Act of 2002 to “provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets,” and also to “provide for development and maintenance of minimum controls required to protect Federal information and information systems.” 44 U.S.C. § 3541
General Provisions. FISMA requires Federal agencies to:
- designate a Chief Information Officer (CIO),
- delegate to the CIO authority to ensure compliance with the requirements imposed by FISMA,
- implement an information security program,
- report on the adequacy and effectiveness of its information security policies, procedures, and practices,
- participate in annual independent evaluations of the information security program and practices, and
- develop and maintain an inventory of the agency’s major information systems. 44 U.S.C. §§ 3543-45, 3505(c).
FISMA also requires the Director of the Office of Management and Budget (OMB) to ensure the operation of a central Federal information security incident center. FISMA makes the National Institute of Standards and Technology (NIST) responsible for “developing standards, guidelines, and associated methods and techniques” for information systems used or operated by an agency or contractor, excluding national security systems. 15 U.S.C. § 278g–3.
Privacy and Other Civil Liberties Implications. FISMA establishes a framework for implementing information security programs for Federal information systems and information systems operated by the Federal government or other entities in support of Federal operations. FISMA does not apply to systems “used for routine administrative and business applications,” such as those related to personnel management that could likely contain personally identifiable information (PII).