Social Media:

Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate

GAO-11-605: Published: Jun 28, 2011. Publicly Released: Jul 28, 2011.

Multimedia:

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Federal agencies increasingly use recently developed Internet technologies that allow individuals or groups to create, organize, comment on, and share online content. The use of these social media services-- including popular Web sites like Facebook, Twitter, and YouTube-- has been endorsed by President Obama and provides opportunities for agencies to more readily share information with and solicit feedback from the public. However, these services may also pose risks to the adequate protection of both personal and government information. GAO was asked to (1) describe how federal agencies are currently using commercially provided social media services and (2) determine the extent to which agencies have developed and implemented policies and procedures for managing and protecting information associated with this use. To do this, GAO examined the headquarters-level Facebook pages, Twitter accounts, and YouTube channels of 24 major federal agencies; reviewed pertinent policies, procedures, and guidance; and interviewed officials involved in agency use of social media..

Federal agencies have been adapting commercially provided social media technologies to support their missions. Specifically, GAO identified several distinct ways that 23 of 24 major agencies are using Facebook, Twitter, and YouTube. These include reposting information available on official agency Web sites, posting information not otherwise available on agency Web sites, soliciting comments from the public, responding to comments on posted content, and providing links to non-government sites. For example, agencies used Facebook to post pictures or descriptions of the activities of agency officials and to interact with the public. Agencies used Twitter to provide information in an abbreviated format and to direct the public back to official agency sites. YouTube was used to provide alternate means of accessing videos available on official agency sites, share videos of agency officials discussing topics of interest, or to solicit feedback from the public. The use of these services can pose challenges in managing and identifying records, protecting personal information, and ensuring the security of federal information and systems. However, the 23 major agencies that GAO identified as using social media have made mixed progress in developing and implementing policies and procedures to address these challenges: (1) Records management: 12 of the 23 agencies have developed and issued guidance that outlines processes and policies for identifying and managing records generated by their use of social media and record-keeping roles and responsibilities. (2) Privacy: 12 agencies have updated their privacy policies to describe whether they use personal information made available through social media, and 8 conducted and documented privacy impact assessments to identify potential privacy risks that may exist in using social media given the likelihood that personal information will be made available to the agency by the public. (3) Security: 7 agencies identified and documented security risks (such as the potential for an attacker to use social media to collect information and launch attacks against federal information systems) and mitigating controls associated with their use of social media. In several cases, agencies reported having policies in development to address these issues. In other cases, agencies reported that there was no need to have policies or procedures that specifically address the use of social media, since these are addressed in existing policies. However, social media technologies present unique challenges and risks, and without establishing guidance and assessing risks specific to social media, agencies cannot be assured that they are adequately meeting their responsibilities to manage and preserve federal records, protect the privacy of personal information, and secure federal systems and information against threats. GAO recommends that agencies ensure that appropriate records management, privacy, and security measures are in place. Most of the agencies agreed with GAO's recommendations. Three agencies did not agree with recommendations made to them; GAO maintains that the actions are necessary.

Recommendations for Executive Action

  1. Status: Open

    Comments: In their initial response, department officials reported that the department has yet to conduct a security risk assessment for its use of social media.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Commerce should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of Commerce

  2. Status: Open

    Comments: The department has yet to provide an update to this recommendation.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of the Treasury should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Department of the Treasury

  3. Status: Open

    Comments: GAO received DOT's letter on November 1, 2011 stating that DOT is implementing processes to formally assess security risks associated with the use of social media and document decisions and rationale regarding their use. The Department anticipates completing the assessment before the end of FY 2012 and any decisions regarding the use of social media will be accompanied by the identification of security controls that can mitigate threats, to the extent that such controls are available and appropriate.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Transportation should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of Transportation

  4. Status: Closed - Implemented

    Comments: In September 2011, we verified that the Department of Education had updated its privacy policy to describe how the agency handles personally identifiable information. The privacy policy, located on Education's website, describes that the department does not collect or in any way use personally identifiable information.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Education should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: Department of Education

  5. Status: Open

    Comments: The department has yet to provide an update to this recommendation.

    Recommendation: To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Energy should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of Energy

  6. Status: Open

    Comments: GAO received DOT's letter on November 1, 2011 stating that DOT third-party web-based interactive technologies must follow the privacy policies outlined in DOT Orders. This includes complying with requirements to collect information necessary, and to conduct an adapted Privacy Impact Assessment (PIA), as outlined by OMB.1 DOT will complete the latest update to its Privacy Policy which will include additional specificity relating to the recommended actions before the end of fiscal year (FY) 2012.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Transportation should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: Department of Transportation

  7. Status: Open

    Comments: The department has yet to provide an update to this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of State should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of State

  8. Status: Open

    Comments: The department has yet to provide an update to this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of State should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of Twitter and YouTube and identifies protections to address them.

    Agency Affected: Department of State

  9. Status: Closed - Implemented

    Comments: In September 2011, we verified that the Department of Labor had updated its privacy policy on its Web site to include discussion of its use of PII made available through social media. Specifically, this policy states that PII cannot be requested from or collected by the department on its social media sites.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Labor should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: Department of Labor

  10. Status: Closed - Implemented

    Comments: In August 2011, we verified that the Department of Housing and Urban Development (HUD) had conducted security risk assessments on the agency's use of Social Media Technologies, such as Twitter and YouTube. This security assessment identified, among other things, security risks that social media poses to HUD information systems and the mitigating controls HUD has in place to address those identified risks.

    Recommendation: To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Housing and Urban Development should conduct and document a security risk assessment to assess security threats associated with agency use of Twitter and YouTube and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of Housing and Urban Development

  11. Status: Open

    Comments: The department has yet to provide an update to this recommendation.

    Recommendation: To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Homeland Security should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of Homeland Security

  12. Status: Closed - Implemented

    Comments: In March 2012, we verified that the Department of Health and Human Services (HHS) had updated its agency privacy policy to include a discussion of the department's collection of PII made available through its use of social media services. Specifically, the policy states that HHS sometimes collects and uses PII made available through third-party websites, but does not share PII made available through third-party websites.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Health and Human Services should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: Department of Health and Human Services

  13. Status: Closed - Implemented

    Comments: In September 2011, we verified that the Department of Defense had updated its Privacy Impact Assessments (PIAs) for its use of Social Media technologies. These PIAs identified the privacy risks associated with the department's use of social media tools and their mitigation strategies for addressing those risks.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Defense should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Department of Defense

  14. Status: Open

    Comments: The agency has yet to provide an update to this recommendation.

    Recommendation: To ensure that federal agencies have adequate guidance to determine the appropriate method for preserving federal records generated by content presented on agency social media sites, the Archivist of the United States should develop guidance on effectively capturing records from social media sites and that this guidance incorporate best practices.

    Agency Affected: National Archives and Records Administration

  15. Status: Closed - Implemented

    Comments: In October 2011, we verified that the Department of Agriculture had developed privacy impact assessments for its uses of Social Media technologies, such as Facebook, Twitter, and YouTube. These PIAs, located on the agency's website, identifies privacy risks associated with the department's use of social media tools and their mitigating strategies for addressing those risks.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Agriculture should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Department of Agriculture

  16. Status: Open

    Comments: In an initial response to the recommendation, department officials reported that they are in the process of updating the privacy policy on the main department Web site.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Commerce should update privacy policies to describe whether personally identifiable information (PII) made available through use of social media services is collected and used.

    Agency Affected: Department of Commerce

  17. Status: Closed - Implemented

    Comments: In September 2011, we verified that the Department of Veteran Affairs had updated its social media policy to include guidance on the agency's records management process. This policy describes the department's records management processes and policies, including the roles and responsibilities of record keeping.

    Recommendation: To ensure that appropriate records management and privacy measures are in place when commercially provided social media services are used, the Secretary of Veterans Affairs should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities.

    Agency Affected: Department of Veterans Affairs

  18. Status: Closed - Implemented

    Comments: In September 2011, we verified that the Department of Veterans Affairs had conducted a privacy impact assessment for their use of social media technologies. This PIA identified potential privacy risks associated with the agency's use of third-party websites and applications and mitigation strategies to address those risks.

    Recommendation: To ensure that appropriate records management and privacy measures are in place when commercially provided social media services are used, the Secretary of Veterans Affairs should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Department of Veterans Affairs

  19. Status: Open

    Comments: The agency has yet to provide an update to this recommendation. Additionally, there has not been any updated documentation provided on the NSF website to show implementation of this recommendation.

    Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Director of the National Science Foundation should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities.

    Agency Affected: National Science Foundation

  20. Status: Open

    Comments: The agency has yet to provide an update to this recommendation. Additionally, there has not been any updated documentation provided on the NASA website to show implementation of this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: National Aeronautics and Space Administration

  21. Status: Open

    Comments: The agency has yet to provide an update to this recommendation. Additionally, there has not been any updated documentation provided on the NSF website to show implementation of this recommendation.

    Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Director of the National Science Foundation should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: National Science Foundation

  22. Status: Closed - Implemented

    Comments: In January 2012, we verified that the Office of Personnel Management had conducted privacy impact assessments (PIAs) for its use of social media services. These PIAs identify, among other things, potential privacy risks associated with the agency's use of social media services and mitigation strategies to address those risks.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Director of the Office of Personnel Management should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Office of Personnel Management

  23. Status: Closed - Implemented

    Comments: In February 2012, we verified that the Office of Personnel Management had conducted a security risk assessment in association with its use of social media technologies. This assessment evaluated, among other things, privacy threats and vulnerabilities associated with their use of social media services, including a likelihood-impact risk determination analysis of potential threats and recommended controls to mitigate those risks.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Director of the Office of Personnel Management should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Office of Personnel Management

  24. Status: Open

    Comments: SBA has yet to develop PIAs for its uses of social media technologies.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the Small Business Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Small Business Administration

  25. Status: Open

    Comments: In September 2012, we verified that the Social Security Administration (SSA) has updated its internet privacy policy to include information on the agency's use of social media sites. Specifically, the policy states that while SSA moderates comments or opinions made on third party social media sites, they do not collect, maintain, or disseminate any personally identifiable information made available to SSA by those sites or users of those sites.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Commissioner of the Social Security Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: Social Security Administration

  26. Status: Open

    Comments: The agency has yet to provide an update to this recommendation.

    Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Administrator of the U.S. Agency for International Development should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities.

    Agency Affected: United States Agency for International Development

  27. Status: Closed - Implemented

    Comments: In March 2012, we verified that USAID conducted a security risk assessments on the agency's use of social media services. This assessment evaluated security threats associated with the agency's use of social media services as well as identified security controls that can be used to mitigate these risks.

    Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Administrator of the U.S. Agency for International Development should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: United States Agency for International Development

  28. Status: Open

    Comments: The agency has yet to provide an update to this recommendation. Additionally, there has not been any updated documentation provided on the NASA website to show implementation of this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: National Aeronautics and Space Administration

  29. Status: Open

    Comments: The agency has yet to provide an update to this recommendation. Additionally, there has not been any updated documentation provided on the NASA website to show implementation of this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: National Aeronautics and Space Administration

  30. Status: Closed - Implemented

    Comments: In August 2011, we verified that the General Services Administration had conducted privacy impact assesments for its use of Social Media Technologies. These PIAs state that the use of social media venues is currently used for one-way marketing and that GSA does not collect nor soilcit personally identifiable information through these venues.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the General Services Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: General Services Administration

  31. Status: Closed - Implemented

    Comments: In August 2011, we verified that the Environmental Protection Agency had conducted and documented a privacy impact assessment (PIA)for the agency's use of social media services. The PIA identifies potential privacy risks associated with the agency's use of social media services and protections to address them.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the Environmental Protection Agency should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Environmental Protection Agency

  32. Status: Closed - Implemented

    Comments: In June 2012, we verified that the Environmental Protection Agency had condcuted a security risk assessmen associated with its use of social media sites. This assessment provides, among other things, information on the agency's use of social media services as well as identifies potential security risks associated with these sites and mitigation controls to address those risks.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the Environmental Protection Agency should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Environmental Protection Agency

  33. Status: Open

    Comments: On September 30, 2011, GSA published its CPO 1878.2B Conducting Privacy Impact Assessments (PIAS) in GSA. this Order established policy and procedures for addressing issues in GSA Information Technology systems and, among other things, social media venues containing personal information about individuals. Further, the order states that GSA has instituted the Privacy Impact Assessments as the means for ensuring that GSA's information systems, online websites, and social media venues protect the privacy of individuals. As part of GSA's policy, PIAs are required to answer a number of qualification questions, including whether systems collect identifiable information, what information will be collected, and what controls are in place to protect the data and prevent unauthorized access.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the General Services Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: General Services Administration

 

Explore the full database of GAO's Open Recommendations »

Oct 24, 2014

Oct 20, 2014

Oct 9, 2014

Oct 8, 2014

Oct 2, 2014

Sep 30, 2014

Sep 26, 2014

Sep 25, 2014

Sep 19, 2014

Looking for more? Browse all our products here