While Congress and the White House deliberate possible actions on FISMA reform and increased oversight of critical infrastructure, relatively little attention is being given to the government-wide cybersecurity regulation already in place, the Data Quality Act (DQA).
Unlike FISMA, which primarily governs the government’s internal cybersecurity processes, and contemplated legislation and/or Executive Order(s), which would likely also include a focus on critical infrastructure protection, the DQA contains a unique mandate. Specifically, the law and its implementing regulations, set standards for the quality of virtually all information disseminated by the Executive Branch — including data which has been collected from the private sector as well as states and municipalities.
The DQA defines “quality” as including three constituent components, Objectivity, Utility and Integrity. Cybersecurity is of particular relevance to the Integrity aspect of Data Quality. Integrity has been defined by the White House Office of Management and Budget (OMB) to refer to “the security of information — protection of the information from unauthorized access or revision, to ensure that the information is not compromised through corruption or falsification.”
As discussed below, the DQA effectively requires that federal agencies attest to the cybersecurity of the underlying data collection/storage/processing/transmission systems when they publicly release work products using that data. Virtually all publicly distributed Executive Branch reports, analyses, regulations and other information disseminations are covered by the DQA — as are the underlying data sets and analytic methodologies and models.
What makes the cybersecurity aspects of the DQA distinct from FISMA or any other law is that, while the compliance burden is placed solely on federal agencies, the applicability is to all parties who provide the government with data that serves as the basis for federal information disseminations, even if the underlying data is distributed only in summary form or after analysis.
In short, unless agencies are able to attest to the cybersecurity of the information systems producing, processing and/or storing data, they will not be able to make use of that information in public disseminations.
Two key aspects of the DQA are that:
1. Standards Compliance – Agencies are prohibited from publicly disseminating information prior to the agency verifying its conformity with DQA requirements through a pre-dissemination review process; and
2. Correction Mechanism – The public is provided with an administrative process by which affected parties, such as corporations, trade associations, civil society and state/local governments, may “seek and obtain” correction of federally-disseminated information products not in conformity with the Act.
With respect to the DQA’s Integrity component, OMB’s government-wide guidelines, promulgated in 2002, explain that “agencies may rely on their implementation of the Federal Government’s computer security laws (formerly, the Computer Security Act, and now the computer security provisions of the Paperwork Reduction Act) to establish appropriate security safeguards for ensuring the ‘integrity’ of the information that the agencies disseminate.”
The FISMA and Paperwork Reduction Act (PRA) security provisions referred to in the Guidelines, along with OMB Circular A-130, apply primarily to federal data resources. To the extent that federal agencies disseminate reports, rules or other data which incorporates and/or relies on data from third parties, such as the private sector, the DQA’s Integrity requirement — and the need for federal agencies to be able to verify that information products meet the requirement, still applies.
How the cybersecurity aspects of DQA’s Integrity standard will be applied to data generated by the private sector when the data is used in a federal report or other information dissemination, is an evolving issue. OMB Watch has noted that an action by the Center for Regulatory Effectiveness was “precedent-setting in two ways: it is the first effort to use the Data Quality Act to address third party submitted information; perhaps more troubling, this effort also challenges information before it is used or relied upon by the agency.”
A major test of the cybersecurity aspects of the Integrity component of Data Quality will come in a National Highway Traffic Safety Administration (NHTSA) regulatory requirement that automobiles be equipped with “black boxes.”
Unless NHTSA is able to ensure that the data from the “black boxes” they are requiring is secure, the agency will not be able to disseminate reports, analyses or other information that uses or relies on the data.
Both the regulators and the regulated community need to pay close attention to the cybersecurity standards inherent in the Integrity component of the DQA because, even if they don’t, hackers will.