Building by the rules: A crash course for federal technologists

In the previous section, we touched on Section 508 of the Rehabilitation Act of 1973 and the importance of building accessible digital products and federal resources. Now, we will cover how the Privacy Act of 1974 and the Federal Information Security Modernization Act (FISMA) work and share resources to learn more.

What is the Privacy Act?

The Privacy Act respects the public’s privacy by limiting government use, reuse, and disclosure of personally identifiable information (PII). Specifically it outlines the following:

• Requires agencies to give public notice about record-keeping systems
• Establishes fair information practices for managing data
• Limits agencies’ ability to share data
• Grants the public access to their own records

The following items illustrate some things you can do to respect the public’s privacy:

• Tell users what information you are collecting from them, and why
• Minimize collecting information where possible; consider public burden
• Conduct Privacy Impact Assessments (PIAs) for systems with PII
• For agency information exchanges – consider pursuing a Computer Matching Agreement
• Agencies must publish notice of its systems of records (also known as System of Records Notice or SORN) in the Federal Register
• Abide by agency and federal disclosure rules
• Consider the Health Insurance Portability and Accountability Act (HIPAA) implications if applicable

Visit Justice.gov to learn more about the Privacy Act of 1974. You may also visit your agency website. For example, the Department of Health and Human Services (HHS) publishes agency-specific Privacy Act information on HHS.gov.

What is FISMA?

The Federal Information Security Modernization Act requires agencies to protect federal information by:

• Creating a cybersecurity plans
• Conducting regular risk assessments
• Implementing cybersecurity controls
• Continuously monitoring their systems for vulnerabilities and attacks

For more information, see the Centers for Medicare and Medicaid Services’ helpful one-pager on FISMA.

To use, buy, or build software for the government, you need an authorization to operate (ATO). This process mostly comes from FISMA. For an overview of ATOs, read An introduction to ATOs.

Federal security compliance is based on evaluating security criteria. Those criteria are a wide-ranging set of considerations called controls. The National Institute for Standards and Technology (NIST) defines these controls in a special publication (SP) called NIST SP 800-53 (Revision 5), Security and Privacy Controls for Information Systems and Organizations. Read An introduction to security and privacy controls for a brief explainer of NIST’s 800-53 control families for information systems and organizations.

The Federal Risk and Authorization Management Program (FedRAMP) is a governmentwide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services. Visit FedRAMP.gov to learn more about the FedRAMP program basics.