By Barbara DePompa
, 1105 Government Information Group Custom Media
Nowadays, risks associated with not sharing information can lead to missing clues of an attack, cost lives and endanger the nation's security. This realization has spurred the federal government's intelligence community, for example, to move from a 'need to know' mentality to a 'responsibility to provide' culture, to ensure all intelligence community members can retrieve information and effectively support intelligence requirements.
The biggest challenge federal agencies face in ongoing information sharing initiatives is in managing risks associated with the unauthorized disclosure of sensitive information. This is what led officials at the Office of the Director of National Intelligence (ODNI) to set the goal for establishing a common trust environment. ODNI's common trust environment will enable the free flow of intelligence information among intelligence community participants, based on their identity attributes mission focus and affiliations. ODNI set forth its information sharing security goals in 2008, including:
*Define a uniform identity structure and uniform attributes to enable identity management, develop uniform standards and guidance for identity management, and support decentralized, agency-specific implementation.
* Establish identity management standards for authentication, authorization, auditing, and cross-domain services.
*Develop information security policies to support logical and physical data protection efforts.
* Create a common classification guide for the intelligence community.
* Establish a risk management approach that supports the common trust and information environment while still protecting sources and methods as well as sensitive information from disclosure.
DHS Security Efforts
Meanwhile, in the past two years, the Department of Homeland Security (DHS) has launched a number of initiatives and pilot tests to increase operational information sharing, including the DHS Secure Border Initiative; the Coast Guard-led Inter-agency Operational Centers; and the ICE Agreements of Cooperation in Communities to Enhance Safety and Security (ACCESS) program. According to a Feb. 2009 DoD Directive (number 8000.1), the primary challenge both within DHS and with external information sharing partners is creating a widely accepted process for sharing mission-relevant information, while adequately protecting the information.
According to the directive, lack of trust stems from fears that shared information will not be protected adequately or used appropriately, and that sharing will not always occur in both directions. For example, law enforcement and the intelligence community are concerned that competing information uses will compromise ongoing investigations, sources and methods. State, local, territorial, tribal and private sector partners want assurances that information held at the federal level will be shared adequately with them.
Undoubtedly, federal agencies are forced to comply with multiple security regulations while striving to implement information sharing initiatives. At the federal level, statutory and other policy mandates such as the Privacy Act of 1974, the E-Government Act of 2002, the Homeland Security Act of 2002, the Federal Information Security Management Act of 2002 (FISMA), and Executive Order 12333 require careful safeguarding of information that personally identifies U.S. citizens. Meanwhile, Executive Order 12958, as amended, defines the safeguarding requirements for classified national security information. Other federal regulations and department and agency policies set requirements for the various categories of sensitive but unclassified information. And state and local governments also have enacted privacy and data security laws.
According to the DHS's latest information sharing directive, key security components will include:
*Develop robust information protection and data security protocols that comply with applicable laws, regulations and agreements;
*Devote sufficient resources to train DHS personnel and the department's information sharing partners in appropriate security requirements, protocols, practices, and privacy and civil liberties standards; and
*Adopt technology solutions that support the appropriate level of information and data security and commit sufficient resources to the electronic and physical protection of information media.