Privacy Impact Assessment Security Management Information System (SMIS)
October 10, 2005
This PIA is conducted pursuant to the E-Government Act of 2002, Pub. L. 107-347, and the accompanying guidelines issued by the Office of Management and Budget (OMB) on September 26, 2003. The PIA provides information regarding the collection of personally identifiable information for the purpose of developing, analyzing, sharing, managing, and storing security-related information in order to reduce risk to people, information, operations, equipment, and facilities.
The FBI has reviewed information provided by the FBI's Security Division (SecD) regarding the FBI's development of this system. Taking into account the need for this system and the privacy risks and protections discussed herein, the FBI's Senior Privacy Official approves the FBI's development of this system.
At this time, SMIS is in the preliminary stages of development. The contract is expected to be awarded in January of 2006, with Initial Operational Capability expected to be achieved in late FY 2007 and Full Operational Capability in FY 2012. The privacy assessment will continue throughout the process, with updates to be published prior to the final implementation of the system and at any time in the interim if significant changes to the design of the system warrant a change in the assessment outlined herein.
SMIS will replace out-dated manual work processes and stand-alone spreadsheets and databases with an efficient, cohesive, highly automated information sharing system. The enhanced capabilities will allow the FBI to reduce risk to people, information, operations, equipment, and facilities, and to share selected information within the FBI, and when necessary, with other law enforcement entities and Intelligence Community (IC) agencies in the most effective manner possible commensurate with security and privacy considerations.
A. What information is to be collected?
SMIS will contain all security-related information for the entire professional life cycle of an FBI person, facility, or system. SMIS will contain personally identifiable information on FBI employees, including support contractors, such as social security number and date and place of birth. SMIS will also contain historical, security-related information which is currently collected on the SF-86 security questionnaire; financial information required under Executive Order 12968, Financial Disclosure form SF-714; and as required by the Office of Government Ethics. SMIS may contain adverse information such as any discovered via law enforcement background check, credit checks, and personnel security investigations, as well as the results of FBI-administered polygraph examinations. Finally, SMIS will contain management information necessary to identify workload problems, processing times, and general trends important to managing the Security Division. SMIS will contain information about the general public only insofar as it is contained in an employee file, such as the relatives listed on an SF-86 security questionnaire.
The information will be collected from the FBI's Bureau Personnel Management System (BPMS), existing paper records maintained by SecD units, interviews, investigative reports, and files from standalone SecD spreadsheets and Microsoft Access databases. SecD is investigating using the Office of Personnel Management eGov initiatives such as the e-QIP system for electronic collection and validation of SF-86 information for new hires. SMIS would be able to ingest information from the Intelligence Community (IC) covered under appropriate reciprocity agreements. Such information would most likely include security clearance information including dates and types of investigations. SMIS may also ingest information from DOD's Joint Personnel Adjudication System (JPAS), which also contains personnel security information. Any external information will be limited to that necessary to grant access to FBI facilities or systems. No information on personnel not affiliated with the FBI will be maintained within SMIS except necessary contact information for references as identified by FBI employees or as a result of routine personnel security investigations. Links to these external systems are in the investigative stages only, and no official FBI determination has been made as to the appropriateness of actually implementing them at this time.
SMIS is also planning to ingest security-related information obtained from state and local criminal records or background checks as they may pertain to a security investigation of an FBI employee. Credit bureaus also provide a source of relevant financial information supporting personnel security investigations. Data from credit bureaus will be ingested only upon specific request by the FBI and only for FBI applicants, employees, and support contractors. These classes of personnel, directly related to the FBI, may contribute personal information necessary to allow adjudication of security clearance and access requests.
Information on public citizens will not be ingested, except to the extent that information about an individual associated with an FBI employee or applicant is relevant to a background investigation. (For example, the name of an applicant's or employee's spouse, former employer, landlord, etc. may be stored within the system.)
FBI applicants, employees, and support contractors will be given the opportunity to verify or rebut any information obtained from outside sources. Additionally, all information will be cross-checked with information contained on relevant forms, such as the SF-86, and employment records. SMIS will have built-in software validation checks that flag inconsistent or incomplete data entries. SMIS will also enforce automatic auditing of all actions affecting individual records. SMIS will provide information making it possible to determine the date the record was created, the trail of who has accessed it and when, and the changes made. SMIS records will be subject to internal manual audits to verify proper operation of the system.
B. Why is the information being collected?
This is not a new collection of information. SecD currently collects all such information in order develop, analyze, share, manage, and store security-related information in order to reduce risk to people, information, operations, equipment, and facilities. SMIS will automate this information collection to make it more efficient by replacing out-of-date work processes, stand-alone spreadsheets, and databases with an efficient, cohesive information sharing system.
C. What is the intended use of the information?
Data collected within SMIS will be used in the processing of new hires, security clearances, and reinvestigations. It will be used for identification of potential vulnerabilities threatening FBI personnel, operations, facilities, and systems. It will be used to identify management indicators and provide routine reports of actions in process, actions initiated or completed, average handling times, and potential process problems.
D. With whom will the information be shared?
The users of SMIS will be limited to SecD personnel with access granted only to those with a verified need to know the information and whose identity has been authenticated via the FBI Enterprise Identity and Access Management System.
The information may also be shared with agencies outside the FBI if reciprocity rules are approved in the interagency Personnel Security Working Group. Information shared outside the FBI would include security clearance information to support official business visits or Financial Disclosure information if an official applies to a job at another agency. The rules for sharing information outside the FBI have not been established; until they are established, the system will operate in a "closed" mode in which access is denied unless explicitly authorized. Any such information sharing will only be permitted via a human (FBI SecD employee) controlled path.
As noted below, the information in SMIS will be part of the FBI's Central Records System (CRS). The Privacy Act (5 U.S.C. § 552a) prohibits the disclosure of records from a system of records without the written consent of the individual, unless the disclosure falls into one of several categories in the Privacy Act, including a published routine use (5 U.S.C. § 552a(b)(3)). The FBI has published blanket routine uses (BRUs) applicable to most FBI systems of records, including the CRS. It seems probable that many disclosures from SMIS would either occur pursuant to the written consent of the subject of the records, or would fall under BRU-13: "To appropriate officials and employees of a federal agency or entity which requires information relevant to a decision concerning the hiring, appointment, or retention of an employee; the issuance, renewal, suspension, or revocation of a security clearance; the execution of a security or suitability investigation; the letting of a contract; or the issuance of a grant or benefit." (70 Fed. Reg. 7513, 7518 (Feb. 14, 2005)) The FBI will ensure that all considerations of whether and how to share information will be guided by the requirements of the Privacy Act.
E. What notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared?
This will be developed in the requirements definition process. The FBI is considering allowing the individual to update or correct information on an "invitational" basis corresponding to a filing requirement such as the financial disclosure requirements. The FBI is also considering allowing an individual to approach the functional owner of the data if the individual realizes there is an error. SecD plans to develop a system for correction/update in conjunction with its business process need; the Division is exploring the parameters to place on the timing of updates.
F. How will the information be secured?
SMIS will be deployed on the FBI's secret network infrastructure and will be hosted in the FBI datacenter(s). It will interface with existing systems of records such as BPMS, the Enterprise Security Operation Center (ESOC) host-based intrusion detection systems, the ESOC monitoring systems, and the FBI's Public Key Infrastructure.
The system will be secured by restricting access to SecD employees and contractors on a "need to know" basis. No organizations outside SecD will have direct access to SMIS information. No one will have access to a specific record unless he/she, by virtue of his/her official function or responsibility, has been pre-authorized by the responsible record or data owner. For example, no one will have access to polygraph exam results unless preauthorized by the Polygraph Unit Chief in a plan approved by the Personnel Security Section Chief. Furthermore, there will be an audit trail in which all accesses to the records, as well as all changes made to the records, will be time and date stamped with the identity of the person accessing the record and/or making the change. The system will also maintain a record of any disclosures made outside the FBI from the system. An in-depth security plan will be developed as system development progresses.
G. Is a system of records being created under section 552a of title 5, United States Code, (commonly referred to as the "Privacy Act")?
A new system of records is not being created. These records already exist under the FBI's Central Records System, published on February 20, 1998, in the Federal Register at Vol. 63, No. 34, page 8671. This system merely automates the records.
The FBI will continue to place an emphasis on privacy as the system develops. In addition to ensuring adequate security requirements are in place to protect the information, the FBI will also consider whether any information in the system should be shared with other agencies consistent with Privacy Act requirements and, if so, how to best protect individual privacy during any such information-sharing. The FBI will also consider how best to balance a design for individuals to be notified of, to access, and to correct information in the system with the business needs of the system. The FBI will evaluate the status of the records in the system so as to comply with all Federal Records Act requirements. The FBI will consider any viable alternatives in order to arrive at a system design that is efficient and effective, and that protects individual privacy. Before system implementation, and at any point if significant changes occur that warrant a separate privacy impact assessment, the FBI will publish an update to this PIA.