Social Media:

Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate

GAO-11-605: Published: Jun 28, 2011. Publicly Released: Jul 28, 2011.

Multimedia:

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Federal agencies increasingly use recently developed Internet technologies that allow individuals or groups to create, organize, comment on, and share online content. The use of these social media services-- including popular Web sites like Facebook, Twitter, and YouTube-- has been endorsed by President Obama and provides opportunities for agencies to more readily share information with and solicit feedback from the public. However, these services may also pose risks to the adequate protection of both personal and government information. GAO was asked to (1) describe how federal agencies are currently using commercially provided social media services and (2) determine the extent to which agencies have developed and implemented policies and procedures for managing and protecting information associated with this use. To do this, GAO examined the headquarters-level Facebook pages, Twitter accounts, and YouTube channels of 24 major federal agencies; reviewed pertinent policies, procedures, and guidance; and interviewed officials involved in agency use of social media..

Federal agencies have been adapting commercially provided social media technologies to support their missions. Specifically, GAO identified several distinct ways that 23 of 24 major agencies are using Facebook, Twitter, and YouTube. These include reposting information available on official agency Web sites, posting information not otherwise available on agency Web sites, soliciting comments from the public, responding to comments on posted content, and providing links to non-government sites. For example, agencies used Facebook to post pictures or descriptions of the activities of agency officials and to interact with the public. Agencies used Twitter to provide information in an abbreviated format and to direct the public back to official agency sites. YouTube was used to provide alternate means of accessing videos available on official agency sites, share videos of agency officials discussing topics of interest, or to solicit feedback from the public. The use of these services can pose challenges in managing and identifying records, protecting personal information, and ensuring the security of federal information and systems. However, the 23 major agencies that GAO identified as using social media have made mixed progress in developing and implementing policies and procedures to address these challenges: (1) Records management: 12 of the 23 agencies have developed and issued guidance that outlines processes and policies for identifying and managing records generated by their use of social media and record-keeping roles and responsibilities. (2) Privacy: 12 agencies have updated their privacy policies to describe whether they use personal information made available through social media, and 8 conducted and documented privacy impact assessments to identify potential privacy risks that may exist in using social media given the likelihood that personal information will be made available to the agency by the public. (3) Security: 7 agencies identified and documented security risks (such as the potential for an attacker to use social media to collect information and launch attacks against federal information systems) and mitigating controls associated with their use of social media. In several cases, agencies reported having policies in development to address these issues. In other cases, agencies reported that there was no need to have policies or procedures that specifically address the use of social media, since these are addressed in existing policies. However, social media technologies present unique challenges and risks, and without establishing guidance and assessing risks specific to social media, agencies cannot be assured that they are adequately meeting their responsibilities to manage and preserve federal records, protect the privacy of personal information, and secure federal systems and information against threats. GAO recommends that agencies ensure that appropriate records management, privacy, and security measures are in place. Most of the agencies agreed with GAO's recommendations. Three agencies did not agree with recommendations made to them; GAO maintains that the actions are necessary.

Recommendations for Executive Action

  1. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that federal agencies have adequate guidance to determine the appropriate method for preserving federal records generated by content presented on agency social media sites, the Archivist of the United States should develop guidance on effectively capturing records from social media sites and that this guidance incorporate best practices.

    Agency Affected: National Archives and Records Administration

  2. Status: Closed - Implemented

    Comments: In October 2011, we verified that the Department of Agriculture had developed privacy impact assessments for its uses of Social Media technologies, such as Facebook, Twitter, and YouTube. These PIAs, located on the agency's website, identifies privacy risks associated with the department's use of social media tools and their mitigating strategies for addressing those risks.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Agriculture should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Department of Agriculture

  3. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Commerce should update privacy policies to describe whether personally identifiable information (PII) made available through use of social media services is collected and used.

    Agency Affected: Department of Commerce

  4. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Commerce should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of Commerce

  5. Status: Closed - Implemented

    Comments: In September 2011, we verified that the Department of Defense had updated its Privacy Impact Assessments (PIAs) for its use of Social Media technologies. These PIAs identified the privacy risks associated with the department's use of social media tools and their mitigation strategies for addressing those risks.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Defense should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Department of Defense

  6. Status: Closed - Implemented

    Comments: In September 2011, we verified that the Department of Education had updated its privacy policy to describe how the agency handles personally identifiable information. The privacy policy, located on Education's website, describes that the department does not collect or in any way use personally identifiable information.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Education should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: Department of Education

  7. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Energy should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of Energy

  8. Status: Closed - Implemented

    Comments: In March 2012, we verified that the Department of Health and Human Services (HHS) had updated its agency privacy policy to include a discussion of the department's collection of PII made available through its use of social media services. Specifically, the policy states that HHS sometimes collects and uses PII made available through third-party websites, but does not share PII made available through third-party websites.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Health and Human Services should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: Department of Health and Human Services

  9. Status: Closed - Implemented

    Comments: We verified that DHS, in response to our recommendation, has conducted and documented a security risk assessment associated with its use of social media technologies. This assessment provided information pertaining to, among other things, DHS's evaluation of its use of resources and controls to identify and mitigate vulnerabilities that pose internal and external threats to the agency. According to DHS's Social Media Risk Assessment Report, evaluations of social media risks were conducted in accordance with risk management guidelines specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30.

    Recommendation: To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Homeland Security should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of Homeland Security

  10. Status: Closed - Implemented

    Comments: In August 2011, we verified that the Department of Housing and Urban Development (HUD) had conducted security risk assessments on the agency's use of Social Media Technologies, such as Twitter and YouTube. This security assessment identified, among other things, security risks that social media poses to HUD information systems and the mitigating controls HUD has in place to address those identified risks.

    Recommendation: To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Housing and Urban Development should conduct and document a security risk assessment to assess security threats associated with agency use of Twitter and YouTube and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of Housing and Urban Development

  11. Status: Closed - Implemented

    Comments: In September 2011, we verified that the Department of Labor had updated its privacy policy on its Web site to include discussion of its use of PII made available through social media. Specifically, this policy states that PII cannot be requested from or collected by the department on its social media sites.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Labor should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: Department of Labor

  12. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of State should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of Twitter and YouTube and identifies protections to address them.

    Agency Affected: Department of State

  13. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of State should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of State

  14. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Transportation should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: Department of Transportation

  15. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Transportation should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Department of Transportation

  16. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of the Treasury should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Department of the Treasury

  17. Status: Closed - Implemented

    Comments: In September 2011, we verified that the Department of Veteran Affairs had updated its social media policy to include guidance on the agency's records management process. This policy describes the department's records management processes and policies, including the roles and responsibilities of record keeping.

    Recommendation: To ensure that appropriate records management and privacy measures are in place when commercially provided social media services are used, the Secretary of Veterans Affairs should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities.

    Agency Affected: Department of Veterans Affairs

  18. Status: Closed - Implemented

    Comments: In September 2011, we verified that the Department of Veterans Affairs had conducted a privacy impact assessment for their use of social media technologies. This PIA identified potential privacy risks associated with the agency's use of third-party websites and applications and mitigation strategies to address those risks.

    Recommendation: To ensure that appropriate records management and privacy measures are in place when commercially provided social media services are used, the Secretary of Veterans Affairs should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Department of Veterans Affairs

  19. Status: Closed - Implemented

    Comments: In August 2011, we verified that the Environmental Protection Agency had conducted and documented a privacy impact assessment (PIA)for the agency's use of social media services. The PIA identifies potential privacy risks associated with the agency's use of social media services and protections to address them.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the Environmental Protection Agency should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Environmental Protection Agency

  20. Status: Closed - Implemented

    Comments: In June 2012, we verified that the Environmental Protection Agency had conducted a security risk assessmen associated with its use of social media sites. This assessment provides, among other things, information on the agency's use of social media services as well as identifies potential security risks associated with these sites and mitigation controls to address those risks.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the Environmental Protection Agency should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Environmental Protection Agency

  21. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the General Services Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: General Services Administration

  22. Status: Closed - Implemented

    Comments: In August 2011, we verified that the General Services Administration had conducted privacy impact assesments for its use of Social Media Technologies. These PIAs state that the use of social media venues is currently used for one-way marketing and that GSA does not collect nor soilcit personally identifiable information through these venues.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the General Services Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: General Services Administration

  23. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: National Aeronautics and Space Administration

  24. Status: Closed - Implemented

    Comments: In August 2014, we verified that the National Aeronautics and Space Adminsitration (NASA) had developed a Privacy Impact Assessment (PIA) for its use of Social Media technologies, including authorized social media websites and applications owned by NASA and/or third parties on behalf of the agency. This PIA identifies the type of information that could be collected through its social media websites and the agencies information sharing practices regarding content collected or shared on these sites by users.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: National Aeronautics and Space Administration

  25. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: National Aeronautics and Space Administration

  26. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Director of the National Science Foundation should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities.

    Agency Affected: National Science Foundation

  27. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Director of the National Science Foundation should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: National Science Foundation

  28. Status: Closed - Implemented

    Comments: In January 2012, we verified that the Office of Personnel Management had conducted privacy impact assessments (PIAs) for its use of social media services. These PIAs identify, among other things, potential privacy risks associated with the agency's use of social media services and mitigation strategies to address those risks.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Director of the Office of Personnel Management should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Office of Personnel Management

  29. Status: Closed - Implemented

    Comments: In February 2012, we verified that the Office of Personnel Management had conducted a security risk assessment in association with its use of social media technologies. This assessment evaluated, among other things, privacy threats and vulnerabilities associated with their use of social media services, including a likelihood-impact risk determination analysis of potential threats and recommended controls to mitigate those risks.

    Recommendation: To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Director of the Office of Personnel Management should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: Office of Personnel Management

  30. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the Small Business Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them.

    Agency Affected: Small Business Administration

  31. Status: Closed - Implemented

    Comments: In February 2015, we verified that the Social Security Administration (SSA) has updated its internet privacy policy to include information on the agency's use of social media sites. Specifically, the policy states that while SSA moderates comments or opinions made on third party social media sites, they do not collect, maintain, or disseminate any personally identifiable information made available to SSA by those sites or users of those sites.

    Recommendation: To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Commissioner of the Social Security Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used.

    Agency Affected: Social Security Administration

  32. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Administrator of the U.S. Agency for International Development should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities.

    Agency Affected: United States Agency for International Development

  33. Status: Closed - Implemented

    Comments: In March 2012, we verified that USAID conducted a security risk assessment on the agency's use of social media services. This assessment evaluated security threats associated with the agency's use of social media services as well as identified security controls that can be used to mitigate these risks.

    Recommendation: To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Administrator of the U.S. Agency for International Development should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.

    Agency Affected: United States Agency for International Development

 

Explore the full database of GAO's Open Recommendations »

May 20, 2015

May 18, 2015

May 14, 2015

Apr 27, 2015

Apr 20, 2015

Apr 14, 2015

Looking for more? Browse all our products here