Open OpenGlobe opened 7 years ago
femmebot
commented
7 years ago @OpenGlobe I think I may have mixed up the content edits previously so sections 2.4 and 2.3 (and 2.1) are now formatted differently in the latest update. Does the new format and content address the sec 2.3 and sec 2.4 issues above?
femmebot
commented
7 years ago @OpenGlobe I've also gone ahead and changed generic information to PIA in the latest update.
OpenGlobe
commented
7 years ago @femmebot - here's the current list of acronyms from the DOI guide if we want to use them here - I've included an abbreviated list along with the original. I think we probably don't need to include anything that isn't referenced in the form? Could probably be further paired down (FEDRAMP for example has a fairly streamlined acronym list since they don't make many direct references in the doc as I recall):
Acronyms ATO Authority to Operate CIO Chief Information Officer CISO Chief Information Security Officer CSAM Cyber Security Assessment and Management DIAR DOI Acquisition Regulation DOI Department of the Interior FAR Federal Acquisition Regulations FISMA Federal Information Security Management Act FOIA Freedom of Information Act GAO Government Accountability Office GSS General Support System ICCO Information Collection Clearance Officer ISSO Information System Security Officer IT Information Technology MOU Memorandum of Understanding NIST National Institute of Standards and Technology OMB Office of Management and Budget PIA Privacy Impact Assessment PII Personally Identifiable Information PRA Paperwork Reduction Act SAOP Senior Agency Official for Privacy SORN System of Records Notice SP Special Publication SSN Social Security Number SSP System Security Plan
Original list Acronyms A&A Assessment and Authorization ADIR Assistant Director for Information Resources ATO Authority to Operate BCISO Bureau/Office Chief Information Security Officer CFR Code of Federal Regulations CIO Chief Information Officer CISO Chief Information Security Officer CSAM Cyber Security Assessment and Management DIAR DOI Acquisition Regulation DOI Department of the Interior DM Departmental Manual EFS Enterprise Forms System FAR Federal Acquisition Regulations FIPS Federal Information Processing Standards FISMA Federal Information Security Management Act FISSA Federal Information Systems Security Awareness FOIA Freedom of Information Act GAO Government Accountability Office GSS General Support System ICCO Information Collection Clearance Officer ICR Information Collection Request ISE Information Sharing Environment ISSO Information System Security Officer IT Information Technology MOU Memorandum of Understanding NARA National Archives and Records Administration NIST National Institute of Standards and Technology OMB Office of Management and Budget PIA Privacy Impact Assessment PII Personally Identifiable Information POA&M Plan of Action and Milestones PRA Paperwork Reduction Act SAOP Senior Agency Official for Privacy SORN System of Records Notice SP Special Publication SSN Social Security Number SSP System Security Plan
OpenGlobe
commented
7 years ago @femmebot, I think we can change:
2.3 What is the legal authority? to 2.3 What is the legal authority for the system?
2.5 Does this information system or electronic collection require an OMB Control Number? A Privacy Act SORN is required if the information system or electronic collection contains infor- mation about individuals that is retrieved by name or other unique identi er. Provide the DOI or Government-wide Privacy Act SORN identi er and ensure it is entered in CSAM for this system. For new SORNS being developed, select “Yes” and provide a detailed explanation. Contact your Bureau Privacy O cer for assistance identifying the appropriate Privacy Act SORN(s). to 2.5 Is this information system a System of Records under the Privacy Act? A Privacy Act SORN is required if the information system or electronic collection contains infor- mation about individuals that is retrieved by name or other unique identifier. Provide the DOI or Government-wide Privacy Act SORN identifier and ensure it is entered in CSAM for this system. For new SORNS being developed, select “Yes” and provide a detailed explanation. Contact your Bureau Privacy Officer for assistance identifying the appropriate Privacy Act SORN(s). You can find examples of published PIAs here.
OpenGlobe
commented
7 years ago Per 2.4 - @ACBarker can you help clarify what you think might work here?
ACBarker
commented
7 years ago @OpenGlobe for 2.5, this is actually a really complex legal analysis. Maybe we keep it simple and say: If your system is a System of Records under the Privacy Act, a System of Records Notice (SORN) is required to be published in the Federal Register. If using an existing SORN, provide the SORN identifier and ensure it is entered in CSAM for this system. For new SORNS being developed, select “Yes” and provide a detailed explanation. Contact your Bureau Privacy Officer for assistance identifying the appropriate Privacy Act SORN(s) or determinig whether a SORN is necessary. You can find all DOI SORNs here. (NB PIAs are unrelated to whether a SORN is necessary)
For 2.4 - I'm sorry I've lost the underlying text. Would you mind ading it here?
NB that a SORN is generally used to mean "System of Records Notice," which goes in the Federal Register and establishes a System of Records. Sometimes people use it to mean a "System of Records Number" to much confusion.
FYI SORNs will all be public and should be listed in a consolidated place for DOI. If that's not done - we should get it done, and you might point folks in 2.5 to that list because they're likely to be able to identify which is the appropriate SORN.