This is the accessible text file for GAO report number GAO-11-605 
entitled 'Social Media: Federal Agencies Need Policies and Procedures 
for Managing and Protecting Information They Access and Disseminate' 
which was released on July 28, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Report to Congressional Requesters: 

June 2011: 

Social Media: 

Federal Agencies Need Policies and Procedures for Managing and 
Protecting Information They Access and Disseminate: 

GAO-11-605: 

GAO Highlights: 

Highlights of GAO-11-605, a report to congressional requesters. 

Why GAO Did This Study: 

Federal agencies increasingly use recently developed Internet 
technologies that allow individuals or groups to create, organize, 
comment on, and share online content. The use of these social media 
services-—including popular Web sites like Facebook, Twitter, and 
YouTube-—has been endorsed by President Obama and provides 
opportunities for agencies to more readily share information with and 
solicit feedback from the public. However, these services may also 
pose risks to the adequate protection of both personal and government 
information. 

GAO was asked to (1) describe how federal agencies are currently using 
commercially provided social media services and (2) determine the 
extent to which agencies have developed and implemented policies and 
procedures for managing and protecting information associated with 
this use. To do this, GAO examined the headquarters-level Facebook 
pages, Twitter accounts, and YouTube channels of 24 major federal 
agencies; reviewed pertinent policies, procedures, and guidance; and 
interviewed officials involved in agency use of social media. 

What GAO Found: 

Federal agencies have been adapting commercially provided social media 
technologies to support their missions. Specifically, GAO identified 
several distinct ways that 23 of 24 major agencies are using Facebook, 
Twitter, and YouTube. These include reposting information available on 
official agency Web sites, posting information not otherwise available 
on agency Web sites, soliciting comments from the public, responding 
to comments on posted content, and providing links to non-government 
sites. For example, agencies used Facebook to post pictures or 
descriptions of the activities of agency officials and to interact 
with the public. Agencies used Twitter to provide information in an 
abbreviated format and to direct the public back to official agency 
sites. YouTube was used to provide alternate means of accessing videos 
available on official agency sites, share videos of agency officials 
discussing topics of interest, or to solicit feedback from the public. 

The use of these services can pose challenges in managing and 
identifying records, protecting personal information, and ensuring the 
security of federal information and systems. However, the 23 major 
agencies that GAO identified as using social media have made mixed 
progress in developing and implementing policies and procedures to 
address these challenges: 

* Records management: 12 of the 23 agencies have developed and issued 
guidance that outlines processes and policies for identifying and 
managing records generated by their use of social media and record-
keeping roles and responsibilities. 

* Privacy: 12 agencies have updated their privacy policies to describe 
whether they use personal information made available through social 
media, and conducted and documented privacy impact assessments to 
identify potential privacy risks that may exist in using social media 
given the likelihood that personal information will be made available 
to the agency by the public. 

* Security: 7 agencies identified and documented security risks (such 
as the potential for an attacker to use social media to collect 
information and launch attacks against federal information systems) 
and mitigating controls associated with their use of social media. 

In several cases, agencies reported having policies in development to 
address these issues. In other cases, agencies reported that there was 
no need to have policies or procedures that specifically address the 
use of social media, since these are addressed in existing policies. 
However, social media technologies present unique challenges and 
risks, and without establishing guidance and assessing risks specific 
to social media, agencies cannot be assured that they are adequately 
meeting their responsibilities to manage and preserve federal records, 
protect the privacy of personal information, and secure federal 
systems and information against threats. 

What GAO Recommends: 

GAO recommends that agencies ensure that appropriate records 
management, privacy, and security measures are in place. Most of the 
agencies agreed with GAO’s recommendations. Three agencies did not 
agree with recommendations made to them; GAO maintains that the 
actions are necessary. 

View [hyperlink, http://www.gao.gov/products/GAO-11-605] or key 
components. For more information, contact Gregory C. Wilshusen at 
(202) 512-6244 or wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Federal Agencies Have Used Social Media Services for a Variety of 
Purposes: 

Federal Agencies Have Made Mixed Progress in Developing Policies and 
Procedures for Managing and Protecting Information Associated with 
Social Media Use: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Recommendations to Departments and Agencies: 

Appendix III: Comments from the National Archives and Records 
Administration: 

Appendix IV: Comments from the Department of Commerce: 

Appendix V: Comments from the U.S. Department of Agriculture: 

Appendix VI: Comments from the Department of State: 

Appendix VII: Comments from the General Services Administration: 

Appendix VIII: Comments from the Department of Defense: 

Appendix IX: Comments from the Department of Education: 

Appendix X: Comments from the Department of Homeland Security: 

Appendix XI: Comments from the Department of Housing and Urban 
Development: 

Appendix XII: Comments from the Department of Veterans Affairs: 

Appendix XIII: Comments from the Environmental Protection Agency: 

Appendix XIV: Comments from the National Aeronautics and Space 
Administration: 

Appendix XV: Comments from the Office of Personnel Management: 

Appendix XVI: Comments from the Social Security Administration: 

Appendix XVII: Comments from the U.S. Agency for International 
Development: 

Appendix XVIII: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Examples of Security Threats Agencies Face When Using 
Commercially Provided Social Media Services: 

Table 2: Extent to Which Major Federal Agencies Have Developed 
Policies and Procedures for Using Social Media: 

Figure: 

Figure 1: Agency Use of Facebook, Twitter, and YouTube from July 2010 
through January 2011: 

Abbreviations: 

CIO: Chief Information Officer: 

DHS: Department of Homeland Security: 

DOD: Department of Defense: 

DOE: Department of Energy: 

FISMA: Federal Information Security Management Act: 

FTC: Federal Trade Commission: 

HUD: Department of Housing and Urban Development: 

NARA: National Archives and Records Administration: 

NASA: National Aeronautics and Space Administration: 

NIST: National Institute of Standards and Technology: 

NRC: Nuclear Regulatory Commission: 

OMB: Office of Management and Budget: 

PIA: privacy impact assessment: 

PII: personally identifiable information: 

SBA: Small Business Administration: 

SSA: Social Security Administration: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

June 28, 2011: 

Congressional Requesters: 

Federal agencies are increasingly using recently developed Internet 
technologies (commonly referred to as "Web 2.0" technologies) that 
offer flexible, sophisticated capabilities for interaction with 
individuals, allowing participants to publish comments, photos, and 
videos directly on agency-sponsored Web pages. These technologies 
include services offered by social networking sites (such as Facebook 
and Twitter) and video-sharing Web sites (such as YouTube), which 
allow individuals or groups of individuals to create, organize, edit, 
comment on, and share content. 

The use of these services by federal agencies was endorsed in a 
January 2009 memorandum by President Obama promoting transparency and 
open government.[Footnote 1] The memorandum encouraged executive 
departments and agencies to harness new technologies to put 
information about their operations and decisions online so that it 
would be readily available to the public. It also encouraged the 
solicitation of public feedback to identify information of the 
greatest use to the public, assess and improve levels of 
collaboration, and identify new opportunities for cooperation in 
government. However, while such use of social media offers the 
potential to better include people in the governing process and 
further agency missions, use of these services may also pose risks 
that government records and sensitive information, including 
personally identifiable information (PII),[Footnote 2] is not properly 
managed or protected. 

You asked us to review federal agencies' use of commercially provided 
social media services. Specifically, as agreed with your offices, our 
objectives were to (1) describe how federal agencies are currently 
using commercially provided social media services, and (2) determine 
the extent to which federal agencies have developed and implemented 
policies and procedures for managing and protecting information 
associated with this use. 

To address our first objective, we examined department-level Facebook 
pages, Twitter accounts, and YouTube channels associated with each of 
the 24 major federal agencies covered by the Chief Financial Officers 
Act[Footnote 3] to describe the types of information agencies 
disseminated via the services and the nature of their interactions 
with the public.[Footnote 4] We categorized agency use based on types 
of information found on their social media pages.[Footnote 5] In 
addition, we interviewed agency officials to discuss the extent to 
which they collect and use personally identifiable information 
provided by the public on their social media pages. 

To address our second objective, we reviewed pertinent records 
management, privacy, and security policies, procedures, guidance, and 
risk assessments in place at each of the 23 major agencies and 
compared them to relevant federal regulations and guidance on records 
management, privacy, and security. We also reviewed relevant reports 
and studies to identify records management, privacy, and security 
risks associated with social media use by federal agencies. Finally, 
in coordination with the National Academy of Public Administration, 
[Footnote 6] we conducted a roundtable discussion to solicit views on 
these issues from federal officials involved in agency use of social 
media. 

We conducted this performance audit from July 2010 to June 2011 in 
accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe 
that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objectives. Our 
objectives, scope, and methodology are discussed in more detail in 
appendix I. 

Background: 

Internet-based services using Web 2.0 technology have become 
increasingly popular. Web 2.0 technologies are a second generation of 
the World Wide Web as an enabling platform for Web-based communities 
of interest, collaboration, and interactive services. These 
technologies include Web logs (known as "blogs"), which allow 
individuals to respond online to agency notices and other postings; 
"wikis," which allow individual users to directly collaborate on the 
content of Web pages; "podcasting," which allows users to download 
audio content; and "mashups," which are Web sites that combine content 
from multiple sources. Web 2.0 technologies also include social media 
services, which allow individuals or groups of individuals to create, 
organize, edit, comment on, and share content. These include social 
networking sites (such as Facebook and Twitter) and video-sharing Web 
sites (such as YouTube). 

While in the past Internet usage concentrated on sites that provide 
online shopping opportunities and other services, according to the 
Nielsen Company,[Footnote 7] social media-related sites have moved to 
the forefront. In June 2010, it reported that Internet users worldwide 
accessed social media sites one out of every 4 1/2 minutes they spent 
online on average. The use of social networking services now 
reportedly exceeds Web-based e-mail usage, and the number of American 
users frequenting online video sites has more than tripled since 2003. 
The Nielsen Company reported that during the month of April 2010, the 
average user spent nearly 6 hours on social media-related sites. 

Facebook is a social networking site that lets users create personal 
profiles describing themselves and then locate and connect with 
friends, co-workers, and others who share similar interests or who 
have common backgrounds. Individual profiles may contain--at the 
user's discretion--detailed personal information, including birth 
date, home address, telephone number, employment history, educational 
background, and religious beliefs. Facebook also allows any user to 
establish a "page" to represent an organization (including federal 
agencies), business, or public figure in order to disseminate 
information to users who choose to connect with them. These users can 
leave comments in response to information posted on such a page. 
Profile information for these users may be made available to the 
administrators of these pages, depending on settings controlled by the 
user. According to the Facebook site, Facebook has over 500 million 
active users who spend more than 700 billion minutes per month on 
Facebook. 

Twitter is a social networking site that allows users to share and 
receive information through short messages that are also known as 
"tweets." These messages are no longer than 140 characters in length. 
Twitter users can establish accounts by providing a limited amount of 
PII but may elect to provide additional PII if they wish. Users can 
post messages to their profile pages and reply to other Twitter users' 
tweets. Users can "follow" other users as well--i.e., subscribe to 
their tweets. In March 2011, Twitter reported adding an average of 
460,000 new accounts and facilitating the delivery of 140 million 
tweets every day. 

YouTube is a video-sharing site that allows users to discover, watch, 
upload, comment on, and share originally created videos. Similar to 
Twitter, users can establish accounts on YouTube with only limited 
amounts of PII, although they may choose to provide more detailed 
information on their profile page. Users can comment on videos posted 
on a page either in written responses or by uploading their own 
videos.[Footnote 8] According to YouTube, during 2010 more than 13 
million hours of video were uploaded. 

Federal agencies are increasingly using these social media tools to 
enhance services and interactions with the public. As of April 2011, 
23 of 24 major federal agencies had established accounts on Facebook, 
Twitter, and YouTube.[Footnote 9] Furthermore, the public increasingly 
follows the information provided by federal agencies on these 
services. For example, as of April 2011, the U.S. Department of State 
had over 72,000 users following its Facebook page; the National 
Aeronautics and Space Administration (NASA) had over 992,000 Twitter 
followers; and a video uploaded by NASA on YouTube in December 2010 
had over 360,000 views as of April 2011. 

Federal Agencies Are Responsible for Managing Records, Protecting 
Privacy, and Ensuring Adequate Security: 

The Federal Records Act establishes requirements for records 
management programs in federal agencies. Each federal agency is 
required to make and preserve records that (1) document the 
organization, functions, policies, decisions, procedures, and 
essential transactions of the agency and (2) provide the information 
necessary to protect the legal and financial rights of the government 
and of persons directly affected by the agency's activities. The 
Federal Records Act defines a federal record without respect to 
format. Records include all books, papers, maps, photographs, machine 
readable materials, or other documentary materials, regardless of 
physical form or characteristics, made or received by an agency of the 
government under federal law or in connection with the transaction of 
public business and preserved or appropriate for preservation by that 
agency as evidence of the organization, functions, policies, 
decisions, procedures, operations, or other activities of the 
government or because of the informational value of data in them. 

The agency responsible for providing guidance for adhering to the 
Federal Records Act is the National Archives and Records 
Administration (NARA). NARA is responsible for issuing records 
management guidance; working with agencies to implement effective 
controls over the creation, maintenance, and use of records in the 
conduct of agency business; providing oversight of agencies' records 
management programs; approving the disposition (destruction or 
preservation) of records; and providing storage facilities for agency 
records. 

In October 2010, NARA issued a bulletin to provide guidance to federal 
agencies in managing records produced when federal agencies use social 
media platforms for federal business.[Footnote 10] The bulletin 
highlighted the requirement for agencies to decide how they will 
manage records created in social media environments in accordance with 
applicable federal laws and regulations. As part of this effort, the 
guidance emphasized the need for active participation of agency 
records management staff, Web managers, social media managers, 
information technology staff, privacy and information security staff, 
and other relevant stakeholders at each federal agency. 

Privacy Laws and Guidance Set Requirements to Ensure the Protection of 
Personal Information: 

The primary laws that provide privacy protections for personal 
information accessed or held by the federal government are the Privacy 
Act of 1974 and E-Government Act of 2002. These laws describe, among 
other things, agency responsibilities with regard to protecting PII. 
The Privacy Act places limitations on agencies' collection, 
disclosure, and use of personal information maintained in systems of 
records. A system of records is a collection of information about 
individuals under control of an agency from which information is 
retrieved by the name of an individual or other identifier. The E-
Government Act of 2002 requires agencies to assess the impact of 
federal information systems on individuals' privacy. Specifically, the 
E-Government Act strives to enhance the protection of personal 
information in government information systems and information 
collections by requiring agencies to conduct privacy impact 
assessments (PIA). 

A PIA is an analysis of how personal information is collected, stored, 
shared, and managed in a federal system. Specifically, according to 
Office of Management and Budget (OMB) guidance, the purpose of a PIA 
is to (1) ensure handling conforms to applicable legal, regulatory, 
and policy requirements regarding privacy; (2) determine the risks and 
effects of collecting, maintaining, and disseminating information in 
identifiable form in an electronic information system; and (3) examine 
and evaluate protections and alternative processes for handling 
information to mitigate potential privacy risks. 

In June 2010, OMB issued guidance to federal agencies for protecting 
privacy when using Web-based technologies (such as social media). 
[Footnote 11] The guidance built upon the protections and requirements 
outlined in the Privacy Act and E-Government Act and called for 
agencies to develop transparent privacy policies and notices to ensure 
that agencies provide adequate notice of their use of social media 
services to the public, and to analyze privacy implications whenever 
federal agencies choose to use such technologies to engage with the 
public. 

Key Laws and Guidance Set Agencies' Responsibilities for Securing 
Government Information: 

The Federal Information Security Management Act of 2002 (FISMA) 
established a framework designed to ensure the effectiveness of 
security controls over information resources that support federal 
operations and assets. According to FISMA, each agency is responsible 
for, among other things, providing information security protections 
commensurate with the risk and magnitude of the harm resulting from 
unauthorized access, use, disclosure, disruption, modification, or 
destruction of information collected or maintained by or on behalf of 
the agency and information systems used or operated by an agency or by 
a contractor of an agency or other organization on behalf of an agency. 

Consistent with its statutory responsibilities under FISMA, in August 
2009 the National Institute of Standards and Technology (NIST) issued 
an update to its guidance on recommended security controls for federal 
information systems and organizations.[Footnote 12] The NIST guidance 
directs agencies to select and specify security controls for 
information systems based on an assessment of the risk to 
organizational operations and assets, individuals, other 
organizations, and the nation associated with operation of those 
systems. According to the guidance, the use of a risk-based approach 
is applicable not just to the operation of the agency's internal 
systems but is also important when an agency is using technology for 
which its ability to establish security controls may be limited, such 
as when using a third-party social media service. 

GAO Has Identified Challenges in Agencies' Use of Social Media: 

In July 2010, we testified that while the use of Web 2.0 technologies, 
including social media technologies, can transform how federal 
agencies engage the public by allowing citizens to be more involved in 
the governing process, agency use of such technologies can also 
present challenges related to records management, privacy, and 
security.[Footnote 13] 

* Records Management: We reported that Web 2.0 technologies raised 
issues concerning the government's ability to identify and preserve 
federal records. Agencies may face challenges in assessing whether the 
information they generate and receive by means of these technologies 
constitutes federal records. Furthermore, once the need to preserve 
information as federal records has been established, mechanisms need 
to be put in place to capture such records and preserve them properly. 
We stated that proper records retention management needs to take into 
account NARA record scheduling requirements and federal law, which 
require that the disposition of all federal records be planned 
according to an agency schedule or a general records schedule approved 
by NARA. 

We highlighted that these requirements may be challenging for agencies 
because the types of records involved when information is collected 
via Web 2.0 technologies may not be clear. As previously mentioned, in 
October 2010, NARA issued further guidance that clarified agency 
responsibilities in making records determinations. 

* Privacy: We noted, among other things, that agencies faced 
challenges in ensuring that they are taking appropriate steps to limit 
the collection and use of personal information made available through 
social media. We stated that privacy could be compromised if clear 
limits were not set on how the government uses personal information to 
which it has access in social networking environments. Social 
networking sites, such as Facebook, encourage people to provide 
personal information that they intend to be used only for social 
purposes. Government agencies that participate in such sites may have 
access to this information and may need rules on how such information 
can be used. While such agencies cannot control what information may 
be captured by social networking sites, they can make determinations 
about what information they will collect and what to disclose. 
However, unless rules to guide their decisions are clear, agencies 
could handle information inconsistently. OMB's subsequent release of 
guidance, as previously discussed, clarified agency requirements for 
such privacy protections. 

* Security: We highlighted that federal government information systems 
have been targeted by persistent, pervasive, and aggressive threats 
and that, as a result, personal and agency information needs to be 
safeguarded from security threats, and that guidance may be needed for 
employees on how to use social media Web sites properly and how to 
handle information in the context of social media. 

Cyber attacks continue to pose a potentially devastating threat to the 
systems and operations of the federal government. In February 2011, 
the Director of National Intelligence testified that, in the previous 
year, there had been a dramatic increase in malicious cyber activity 
targeting U.S. computers and networks, including a more than tripling 
of the volume of malicious software since 2009.[Footnote 14] 

Further, in March 2011, the Federal Trade Commission (FTC) reached an 
agreement with Twitter to resolve charges that the company deceived 
consumers and put their privacy at risk by failing to safeguard their 
personal information. The FTC alleged that serious lapses in the 
company's security allowed hackers to obtain unauthorized 
administrative control of Twitter and send unauthorized tweets from 
user accounts, including one tweet, purportedly from President Obama, 
that offered his more than 150,000 "followers" a chance to win $500 in 
free gasoline, in exchange for filling out a survey. To resolve the 
charges, Twitter agreed to establish and maintain a comprehensive 
information security program that would be assessed by an independent 
auditor every other year for 10 years.[Footnote 15] 

According to a Chief Information Officers (CIO) Council report 
released in September 2009, as the federal government begins to 
utilize public social media Web sites, advanced persistent threats may 
be targeted against these Web sites. In addition, attackers may use 
social media to collect information and launch attacks against federal 
information systems. Table 1 summarizes three types of security 
threats identified by the CIO Council that agencies may face when 
using commercially provided social media services. 

Table 1: Examples of Security Threats Agencies Face When Using 
Commercially Provided Social Media Services: 

Social media threat: Spear phishing; 
Description: An attack targeting a specific user or group of users 
that attempts to deceive the user into performing an action, such as 
opening a document or clicking a link, that can lead to a compromise 
of the user's system by installing malicious software. Spear phishers 
rely on knowing personal information about their target, such as an 
event, interest, travel plans, or current issues, that allows them to 
gain the confidence of their victims. Sometimes this information is 
gathered by hacking into the targeted network, but often it is easy to 
look up personal details about target victims on a social media 
network. 

Social media threat: Social engineering; 
Description: An attack using personal information to build trust with 
a user in order to gain unauthorized access to sensitive information, 
systems, and networks or to engage in identity fraud, among other 
things. For example, an attacker may learn personal information about 
an individual through a social media service and build a trust 
relationship by expressing interest in similar topics. Once the victim 
trusts the attacker, the attacker can collect additional information 
about the user or use their relationship to expand the attacker's 
influence to other users and friends, further compromising networks 
and systems and jeopardizing additional individuals. 

Social media threat: Web application attack; 
Description: An attack utilizing custom Web applications embedded 
within social media sites, which can lead to installation of malicious 
code onto federal computers to be used to gain unauthorized access. A 
hijacked account of a federal user or a federal account may allow for 
unauthorized posts, tweets, or messages to be seen by the public as 
official messages, or may be used to spread malicious software by 
encouraging users to click links or download unwanted applications. 

Source: GAO analysis of CIO Council data. 

[End of table] 

The rapid development of social media technologies makes it 
challenging to keep up with the constantly evolving threats deployed 
against them and raises the risks associated with government 
participation in such technologies. 

Federal Agencies Have Used Social Media Services for a Variety of 
Purposes: 

Federal agencies have been using social media services to support 
their individual missions. While Facebook, Twitter, and YouTube offer 
unique ways for agencies to interact with the public, we identified 
several distinct ways that federal agencies are using the three social 
media services. Despite varying features of the three platforms, 
agency interactions can be broadly categorized by the manner in which 
information is exchanged with the public, including reposting 
information already available on an agency Web site, posting original 
content not available on agency Web sites, soliciting feedback from 
the public, responding to comments, and linking to non-government Web 
sites. Figure 1 shows how the 23 agencies[Footnote 16] use each of 
these functions. 

Figure 1: Agency Use of Facebook, Twitter, and YouTube from July 2010 
through January 2011: 

[Refer to PDF for image: vertical bar graph] 

Agency use: Reposting information available on agency Web sites; 
Facebook: 22; 
Twitter: 23; 
YouTube: 23. 

Agency use: Posting content not available on agency Web sites; 
Facebook: 10; 
Twitter: 21; 
YouTube: 12. 

Agency use: Soliciting comments; 
Facebook: 12; 
Twitter: 21; 
YouTube: 12. 

Agency use: Responding to comments on posted content; 
Facebook: 16; 
Twitter: 15; 
YouTube: 3. 

Agency use: Providing links to non-government Web sites; 
Facebook: 16; 
Twitter: 22; 
YouTube: 2. 

Source: GAO analysis of publicly available data. 

[End of figure] 

Reposting Information Available on Agency Web sites: 

All 23 agencies used social media to re-post information that is also 
available on an official agency Web site. This information typically 
included press releases that agencies issue on mission-related topics 
or posts to an agency's blog. Each of the three services was used for 
reposting information by the agencies. 

Facebook was used to repost information and direct the public to an 
agency's official Web site. For example, the Social Security 
Administration (SSA) posted a notice on its Facebook page that briefly 
discussed Social Security benefits and provided a link to SSA's Web 
site. The same information was also posted on the SSA Web page. 

Twitter was used to repost information in an abbreviated format, 
accompanied by a link to an official agency Web page where the full 
content was available. For example, the Department of the Interior 
posted a message (or "tweet") about an order that the Secretary of the 
Interior had issued and provided a link to the agency's Web site where 
the full order was available. 

YouTube was generally used to provide an alternate means of accessing 
videos that were available on the agencies' Web sites. For example, 
the Department of Defense (DOD) uploaded a video to its YouTube 
channel--the Pentagon Channel--that described what was going on at the 
Pentagon during a particular week. The video was also posted on a DOD 
Web site dedicated to broadcasting military news and information for 
members of the armed forces. 

Posting Content Not Available on Agency Web sites: 

In addition to reposting information, agencies also used social media 
to post original content that is not available on their Web sites. All 
23 agencies used social media to post content not available on the 
agency's Web site. Twitter was used most often for this purpose. 

Facebook was used to post content such as pictures and descriptions of 
officials on tours or inspections. For example, the Facebook page for 
the Department of Housing and Urban Development (HUD) featured a 
picture of the HUD Secretary with President Obama and others while 
visiting a renovated public housing development during a trip to New 
Orleans to observe efforts to rebuild the city following Hurricane 
Katrina. This picture and explanation were not posted to any of HUD's 
Web sites. 

Twitter was often used by agencies to post ephemeral or time-sensitive 
information. For example, DOD used its Twitter account to encourage 
its subscribers to sign up to be extras in a movie filming in 
Washington, D.C. This information and encouragement were not posted on 
the department's Web site. 

YouTube was often used to publish videos of officials discussing 
topics of interest to the public. An example of this is a video posted 
to the Department of Energy's (DOE) YouTube channel on August 2, 2010, 
in which an official discussed a project for a battery-based energy 
storage system. Neither this video nor a transcript of the video was 
found on a DOE Web site. 

Soliciting Comments: 

Agencies also used Facebook, Twitter, and YouTube to request comments 
from the public. This feedback may be received either through the 
social media service itself or through an agency Web site. Twenty-two 
of 23 agencies used social media to solicit comments from the public. 
Of the 22 agencies soliciting feedback, most used Twitter for this 
purpose. 

Facebook was generally used for feedback solicitation both when the 
agency wanted the public to provide comments directly via the social 
media site and when the agency wanted the public to provide comments 
through an agency Web site. For example, the Department of Veterans 
Affairs asked on its Facebook page if the readers liked the redesign 
of the agency's main Web site. The post received over 50 comments. 

Twitter was generally used for feedback solicitation when the agency 
wanted the public to provide comments through an agency Web site. For 
example, the Department of Education posted a tweet that requested 
both teachers and parents to comment on their views of what an 
effective parent-teacher partnership looks like. The post included a 
link to the department's blog on its Web site, where individuals could 
leave comments. 

YouTube was also used for feedback solicitation. For example, the 
Department of Transportation uploaded a video to its YouTube channel 
asking the public to create and upload videos describing how 
distracted driving has affected their lives. The video received 
multiple comments from the public expressing their views on driving 
and using their cell phones at the same time. 

Responding to Comments on Posted Content: 

Agencies also used social media to respond to comments from the public 
that were posted on the agencies social media sites to address both 
administrative and mission-related topics. In these instances, agency 
responses to public comments were posted to the same social media Web 
pages where the original comments appeared. Seventeen of the 23 
agencies posted responses to public comments on their social media 
sites. These agencies generally used Facebook or Twitter the most for 
this activity, with few agencies responding to comments received on 
their YouTube channels. 

Agencies used Facebook to respond to comments received on their 
Facebook pages. For example, HUD posted information on its Facebook 
page regarding the department's allocation of funding for rental 
assistance for non-elderly persons with disabilities with a link to 
additional information located on the department's Web site. In 
response, individuals posted questions and comments, and HUD responded. 

Twitter was also used by agencies to respond to comments.[Footnote 17] 
For example, a tweet posted by the Small Business Administration (SBA) 
in response to a comment received from a Twitter user stated that the 
agency was still tweaking the functionality of a system and as a means 
to provide better customer service asked what e-mail address the 
individual used. 

Providing Links to Non-Government Web sites: 

The agencies we reviewed also used social media sites to post links to 
non-government Web sites (i.e., a Web site whose address does not end 
in .gov or is not an agency initiative). For example, agencies often 
provided links to relevant articles located on news media Web sites. 
All 23 agencies used social media to post links to non-government Web 
sites. Of the three social media services, Twitter was used the most, 
while few agencies used YouTube for this purpose. 

Twitter was often used by agencies to post links to Web sites, as many 
of the tweets that Twitter subscribers receive contain links to Web 
sites providing further information. For example, the Secretary of 
Transportation posted a Twitter message about a non-government 
organization's Web site, along with a link to the site. 

Federal Agencies Have Made Mixed Progress in Developing Policies and 
Procedures for Managing and Protecting Information Associated with 
Social Media Use: 

Federal agencies have made mixed progress in developing records 
management guidance and assessing privacy and security risks 
associated with their use of commercially provided social media 
services. Specifically, 12 of the 23 major federal agencies that use 
Facebook, Twitter, and YouTube have developed and issued guidance to 
agency officials that outlines (1) processes and policies for how 
social media records are identified and managed and (2) record-keeping 
roles and responsibilities. Further, 12 agencies have updated their 
privacy policies to describe whether they use personal information 
made available through social media. In addition, eight agencies 
conducted privacy impact assessments to identify potential risks 
associated with agency use of the three services. Finally, seven 
agencies assessed and documented security risks associated with use of 
the three services and identified mitigating controls to address those 
risks. Table 2 outlines the extent to which each of the 23 major 
federal agencies have developed policies and procedures for use of 
social media. 

Table 2: Extent to Which Major Federal Agencies Have Developed 
Policies and Procedures for Using Social Media: 

Agency: Department of Agriculture; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Did not develop policies and procedures for use of social 
media services; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube. 

Agency: Department of Commerce; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Did not develop policies and 
procedures for use of social media services; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Department of Defense; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube. 

Agency: Department of Education; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Did not develop policies and procedures for use of social 
media services; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Did not develop policies and 
procedures for use of social media services; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Developed policies and procedures that guided use of some but not 
all services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Department of Energy; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube;
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Department of Health and Human Services; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Did not develop policies and 
procedures for use of social media services; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube. 

Agency: Department of Homeland Security; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Did not develop policies and procedures for use of social 
media services;
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube;
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Department of Housing and Urban Development; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Department of the Interior; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube. 

Agency: Department of Justice; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Department of Labor; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Did not develop policies and 
procedures for use of social media services; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube. 

Agency: Department of State; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Developed policies and procedures that guided use of some but not 
all services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Department of Transportation; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Did not develop policies and 
procedures for use of social media services; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Department of the Treasury; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Did not develop policies and procedures for use of social 
media services; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Department of Veterans Affairs; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Did not develop policies and procedures for use of social 
media services; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Did not develop policies and 
procedures for use of social media services; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube. 

Agency: Environmental Protection Agency; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: General Services Administration; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Developed policies and procedures that guided use of 
Facebook, Twitter, and YouTube; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Did not develop policies and 
procedures for use of social media services; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube. 

Agency: National Aeronautics and Space Administration; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Did not develop policies and procedures for use of social 
media services; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Did not develop policies and 
procedures for use of social media services; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: National Science Foundation; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Did not develop policies and procedures for use of social 
media services; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Developed policies and procedures that guided use of Facebook, 
Twitter, and YouTube; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Office of Personnel Management; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Did not develop policies and procedures for use of social 
media services; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Developed policies and procedures that 
guided use of Facebook, Twitter, and YouTube; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Small Business Administration; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Did not develop policies and procedures for use of social 
media services; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Did not develop policies and 
procedures for use of social media services; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: Social Security Administration; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Did not develop policies and procedures for use of social 
media services; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Did not develop policies and 
procedures for use of social media services; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Agency: U.S. Agency for International Development; 
Records management: Document processes and policies and record-keeping 
roles and responsibilities for how social media records are identified 
and managed: Did not develop policies and procedures for use of social 
media services; 
Privacy protection: Update privacy policy to discuss use of PII made 
available through social media: Did not develop policies and 
procedures for use of social media services; 
Privacy protection: Conduct privacy impact assessment for social media 
use: Did not develop policies and procedures for use of social media 
services; 
Security risk management: Identify security risks associated with 
agency use of social media and security controls to mitigate risks: 
Did not develop policies and procedures for use of social media 
services. 

Source: GAO analysis of agency-provided data. 

[End of table] 

Agencies Have Made Progress in Establishing Guidance for Managing 
Social Media Records: 

We previously reported that agencies faced challenges in assessing 
whether the information they generate and receive by means of these 
services constitutes federal records and establishing mechanisms for 
capturing and preserving such records.[Footnote 18] NARA's October 
2010 bulletin on managing social media records highlighted, among 
other things, the need to ensure that social media policies and 
procedures articulate clear records management processes and policies 
and recordkeeping roles and responsibilities. Establishing such 
guidance can provide a basis for consistently and appropriately 
categorizing and preserving social media content as records. 

Twelve of the 23 major federal agencies have taken steps to include 
records management guidance in their social media policies and 
procedures.[Footnote 19] The scope and breadth of the guidance 
provided varied with each agency. Specifically, eight of the agencies 
included general statements directing officials responsible for social 
media content to conform to agency records management policies in 
identifying records and how to manage them. For example, the 
Department of Health and Human Services' social media policy stated 
that "records management requirements for social media technologies 
are similar to any other information system and shall be in 
conformance with existing policy" and provided a Web link to the 
department's records management policies. Four agencies provided more 
specific guidance to officials on what social media content 
constitutes a federal record at their respective agencies. For 
example, the Department of Justice issued a policy in August 2009 that 
included a set of questions department officials are to answer in 
determining the record status of content posted on agency social media 
pages. Officials were asked to assess, among other things, (a) whether 
the agency content was original and not published on other agency Web 
sites, (b) the duration of time the content would need to be retained, 
and (c) what agency entity would be responsible for preserving and 
monitoring the information posted on the social media site. 

Officials from 10 of the 11 agencies that have not yet documented 
social media guidance for records management reported taking actions 
to develop such guidance.[Footnote 20] Officials from 1 other agency 
(the National Science Foundation) stated that they intended to prepare 
guidance but did not report taking any actions to do so. 

However, agency officials are still likely to need clear direction on 
how to assess social media records when using new technology. NARA 
noted in a September 2010 study that records management staff in 
agencies have been overwhelmed by the speed at which agency employees 
are adopting new social media technologies and that social media 
adopters have sometimes ignored records management concerns.[Footnote 
21] Until agencies ensure that records management processes and 
policies and recordkeeping roles and responsibilities are articulated 
within social media policies, officials responsible for creating and 
administering content on agency social media sites may not be making 
appropriate determinations about social media records. 

Agencies Continue to Face Challenges in Establishing Mechanisms for 
Capturing and Preserving Social Media Records: 

Once the need to preserve information as federal records has been 
established, mechanisms need to be put in place to capture such 
records and preserve them properly. We previously testified that 
establishing such mechanisms may be challenging for agencies because 
the types of records involved when information is collected via 
technologies like social media services may not be clear.[Footnote 22] 
Officials at agencies that issued records management guidance for 
social media generally agreed that determining how to preserve social 
media content as records remains an issue. For example, officials at 
the Department of the Interior stated that having information with 
federal record value on non-government systems--such as those of 
commercial providers of social media--can create challenges in 
determining who has control over the information and how and when 
content should be captured for record-keeping. Participants at a 
roundtable discussion hosted by the National Academy of Public 
Administration on our behalf also confirmed capturing records as a 
challenge. One participant suggested that further guidance from NARA 
to include specific "use cases" as examples would benefit agencies in 
understanding what approaches can be taken to properly capture and 
preserve social media records. 

NARA recently identified the need for further study of potential 
mechanisms for capturing social media content as records. In its 
September 2010 study, NARA noted that an agency may not have 
sufficient control over its content to apply records management 
principles due to the nature of a third-party site. Furthermore, 
social media technology can change quickly with functionality being 
added or changed that could have an impact on records management. As a 
result, NARA concluded that it should continue to work with other 
federal agencies to identify best practices for capturing and managing 
these records. Within its October 2010 bulletin, NARA presented a list 
of options for how to preserve social media records, such as Web 
capture tools to create local versions of sites and convert content to 
other formats. NARA officials stated that activities are underway to 
provide further assistance to agencies in determining appropriate 
methods for capturing social media content as federal records. 
Specifically, in January 2011 NARA initiated a working group in 
partnership with the Federal Records Council to evaluate Web 2.0 
issues regarding records management and develop strategies for 
capturing social media content as federal records. However, NARA has 
yet to establish a time frame for issuing new guidance as a result of 
these efforts. Until guidance is developed that identifies potential 
mechanisms for capturing social media content as records, potentially 
important records of government activity may not be appropriately 
preserved. 

Agencies Have Made Mixed Progress in Updating Privacy Policies and 
Assessing Privacy Risks Associated with Use of Social Media Services: 

Social media services often encourage people to provide extensive 
personal information that may be accessible to other users of those 
services. Government agencies that participate in such sites may have 
access to this information and may need to establish controls on how 
such information can be used. We previously reported that, while such 
agencies cannot control what information may be captured by social 
networking sites, they can make determinations about what information 
they will collect and how it will be used.[Footnote 23] In June 2010, 
OMB issued memorandum M-10-23, which specified a variety of actions 
agencies should take to protect individual privacy whenever they use 
third-party Web sites and applications to engage with the public. Two 
key requirements established by OMB were the need for each agency to 
(1) update its privacy policy in order to provide the public with 
information on whether the agency uses PII made available through its 
use of third-party Web sites for any purpose, and (2) conduct privacy 
impact assessments (PIA) whenever an agency's use of a third-party Web 
site makes PII available to the agency.[Footnote 24] 

Assessing privacy risks is an important element of conducting a PIA 
because it helps agency officials determine appropriate privacy 
protection policies and techniques to implement those policies. A 
privacy risk analysis should be performed to determine the nature of 
privacy risks and the resulting impact if corrective actions are not 
implemented to mitigate those risks. Such analysis can be especially 
helpful in connection with the use of social media because there is a 
high likelihood that PII will be made available to the agency. 

Twelve out of 23 agencies updated their privacy policies to include 
discussion on the use of personal information made available through 
social media services.[Footnote 25] In general, agencies stated that 
while PII was made available to them through their use of social media 
services, they did not collect or use the PII. For example, HUD 
updated the privacy policy on its main Web site, [hyperlink, 
http://www.hud.gov], to state that "no personally identifiable 
information (PII) may be requested or collected from [its use of] 
social media sites." As another example, the Department of Energy 
included a discussion of its policy of removing PII that may be posted 
on its social media page, noting that officials reserved the right to 
moderate or remove comments that include PII. 

Officials from 5 of the 11 agencies that have not updated their 
privacy policies reported taking actions to do so.[Footnote 26] 
Officials from 6 additional agencies (the Departments of Commerce, 
Health and Human Services, Labor, and Transportation; the National 
Aeronautics and Space Administration, and the Social Security 
Administration) stated that they intended to update their privacy 
policies but did not report taking any actions to do so. 

Eight agencies conducted PIAs to assess the privacy risks associated 
with their use of the three services.[Footnote 27] For example, the 
Department of Homeland Security (DHS) published a PIA that assessed 
the risks of the agency's use of social networking tools, including 
the potential for agency access to the personal information of 
individuals interacting with the department on such sites. To mitigate 
this risk, the department established a policy of prohibiting the 
collection of personal information by DHS officials using social media 
sites. Likewise, the Department of Transportation completed a PIA for 
the use of third-party Web sites and applications, including Facebook, 
Twitter, and YouTube. The PIA outlined, among other things, what types 
of PII may potentially be made available to the agency through its use 
of social media, including the name, current residence, and age of 
users who may friend, follow, subscribe to or otherwise interact with 
an official department page on a third-party site. In these instances, 
the department's PIA directed officials to avoid capturing and using 
the PII and to redact any PII contained in screenshots that may be 
saved for recordkeeping purposes. 

Officials from 13 agencies had not completed PIAs for their use of any 
of the social media services, while an additional 2 agencies performed 
assessments that only evaluated risks associated with using Facebook. 
Officials from 10 of these agencies reported taking actions to conduct 
the assessments.[Footnote 28] Officials from 2 other agencies (the 
Department of State and the Small Business Administration) stated that 
they intended to conduct assessments but did not report taking any 
actions to do so. Officials from the other 3 agencies (the Departments 
of Agriculture and the Treasury; and the General Services 
Administration) stated that they did not plan to conduct PIAs because 
they were not planning to collect personal information provided on 
their social media sites and, therefore, an assessment was unnecessary. 

However, OMB's guidance states that when an agency takes action that 
causes PII to become accessible to agency officials--such as posting 
information on a Facebook page that allows the public to comment--PIAs 
are required. Given that agency officials have access to comments that 
may contain PII and could collect and use the information for another 
purpose, it is important that an assessment be conducted, even if 
there are no plans to save the information to an agency system. 

Without updating privacy policies and performing and publishing PIAs, 
agency officials and the public lack assurance that all potential 
privacy risks have been evaluated and that protections have been 
identified to mitigate them. 

Agencies Have Made Mixed Progress in Assessing Security Risks 
Associated with Use of Commercially Provided Social Media Services: 

Pervasive and sustained cyber attacks continue to pose a potentially 
devastating threat to the systems and operations of the federal 
government. As part of managing an effective agencywide information 
security program to mitigate such threats, FISMA requires that federal 
agencies conduct periodic assessments of the risk and magnitude of 
harm that could result from the unauthorized access, use, disclosure, 
disruption, modification, or destruction of agency information and 
information systems. To help agencies implement such statutory 
requirements, NIST developed a risk management framework for agencies 
to follow in developing information security programs.[Footnote 29] As 
part of this framework, federal agencies are to assess security risks 
associated with information systems that process federal agency 
information and identify security controls that can be used to 
mitigate the identified risks. In associated guidance, NIST 
highlighted that using such a risk-based approach is also important in 
circumstances where an organization is employing information 
technology beyond its ability to adequately protect essential missions 
and business functions, such as when using commercially provided 
social media services.[Footnote 30] By identifying the potential 
security threats associated with use of such third-party systems, 
agencies can establish proper controls and restrictions on agency use. 

Seven out of 23 agencies performed and documented security risk 
assessments concerning their use of the three social media services. 
[Footnote 31] For example, the Department of Labor outlined the 
agency's use of the three tools within one risk assessment, evaluating 
potential threats and vulnerabilities, and recommended controls to 
mitigate risks associated with those threats and vulnerabilities. The 
department identified, among other things, the potential risk of 
having unauthorized information posted to its social media page by 
agency officials with social media responsibilities and identified the 
need for such individuals to receive training on proper use of social 
media sites. Additionally, a Department of Health and Human Services 
security document stated that, due to risks associated with use of 
social media, including the potential for social media sites to be 
used as a vehicle for transmitting malicious software, the department 
would block use of social media sites--including Facebook, Twitter, 
and YouTube--by employees, with specific allowances made for those 
with documented business needs. 

According to officials, 16 agencies had not completed and documented 
assessments for their use of any of the social media services. 
Officials from 12 of these agencies reported that they were taking 
actions to conduct security risk assessments but had not yet completed 
them.[Footnote 32] Officials from 2 additional agencies (the 
Department of Commerce and the National Science Foundation) stated 
that they intended to conduct assessments but did not report taking 
any actions to do so. Officials at 1 other agency (the Department of 
State) reported that they did not plan to conduct assessments because 
their internal policies and procedures did not require them to perform 
risk assessments. As we previously stated, however, NIST guidance 
requires the application of the risk management process to social 
networking uses to establish proper controls and restrictions on 
agency use. Officials from 1 other agency (the Department of 
Transportation) reported that they had conducted a security risk 
assessment but did not document the results. Without such 
documentation, the agency may lack evidence of the justification and 
rationale for decisions made based on the risk assessment and, 
consequently, the assurance that security controls have been 
implemented to properly address identified security threats. 

Without conducting and documenting a risk assessment, agency officials 
cannot ensure that appropriate controls and mitigation measures are in 
place to address potentially heightened threats associated with social 
media, including spear phishing and social engineering. 

Conclusions: 

Federal agencies are increasingly making use of social media 
technologies, including Facebook, Twitter, and YouTube, to provide 
information about agency activities and interact with the public. 
While the purposes for which agencies use these tools vary, they have 
the potential to improve the government's ability to disseminate 
information, interact with the public, and improve services to 
citizens. 

However, the widespread use of social media technologies also 
introduces risks, and agencies have made mixed progress in 
establishing appropriate policies and procedures for managing records, 
protecting the privacy of personal information, and ensuring the 
security of federal systems and information. Specifically, just over 
half of the major agencies using social media have established 
policies and procedures for identifying what content generated by 
social media is necessary to preserve in order to ensure compliance 
with the Federal Records Act, and they continue to face challenges in 
effectively capturing social media content as records. Without clear 
policies and procedures for properly identifying and managing social 
media records, potentially important records of government activity 
may not be appropriately preserved. In addition, most agencies have 
not updated their privacy policies or assessed the impact their use of 
social media may have on the protection of personal information from 
improper collection, disclosure, or use, as called for in recent OMB 
guidance. Performing PIAs and updating privacy policies can provide 
individuals with better assurance that all potential privacy risks 
associated with their personal information have been evaluated and 
that protections have been identified to mitigate them. Finally, most 
agencies did not have documented assessments of the security risks 
that social media can pose to federal information or systems in 
alignment with FISMA requirements, which could result in the loss of 
sensitive information or unauthorized access to critical systems 
supporting the operations of the federal government. Without 
conducting and documenting a risk assessment, agency officials cannot 
ensure that appropriate controls and mitigation measures are in place 
to address potentially heightened threats associated with social 
media, such as spear phishing and social engineering. 

Recommendations for Executive Action: 

To ensure that federal agencies have adequate guidance to determine 
the appropriate method for preserving federal records generated by 
content presented on agency social media sites, we recommend that the 
Archivist of the United States develop guidance on effectively 
capturing records from social media sites and that this guidance 
incorporate best practices. 

We are also making 32 recommendations to 21 of the 23 departments and 
agencies in our review to improve their development and implementation 
of policies and procedures for managing and protecting information 
associated with social media use. Appendix II contains these 
recommendations. 

Agency Comments and Our Evaluation: 

We sent draft copies of this report to the 23 agencies covered by our 
review, as well as to the National Archives and Records 
Administration. We received written or e-mail responses from all the 
agencies. A summary of their comments and our responses, where 
appropriate, are provided below. 

In providing written comments on a draft of this report, the Archivist 
of the United States stated that NARA concurred with the 
recommendation to develop guidance on effectively capturing records 
from social media sites and that the agency would incorporate best 
practices in this guidance. NARA's comments are reprinted in appendix 
III. 

Of the 21 agencies to which we made recommendations, 12 (the 
Departments of Defense, Education, Energy, Homeland Security, Housing 
and Urban Development, and Veterans Affairs; the Environmental 
Protection Agency; the National Aeronautics and Space Administration; 
the National Science Foundation; the Office of Personnel Management; 
the Social Security Administration; and the U.S. Agency for 
International Development) agreed with our recommendations. 

Two of the 21 agencies (the Departments of Commerce and Health and 
Human Services) generally agreed with our recommendations but provided 
qualifying comments: 

* In written comments on a draft of the report, the Secretary of 
Commerce concurred with our two recommendations but provided 
qualifying comments about the second. Regarding our recommendation 
that the department conduct and document a security risk assessment to 
assess security threats associated with agency use of commercially 
provided social media services and identify security controls that can 
be used to mitigate the identified threats, he stated that the 
department had a policy in place that requires risk-based assessments 
to be conducted of social media technologies used by the department in 
order to determine if mitigating strategies, such as access or usage 
limitation, are warranted. However, the department did not provide 
documentation demonstrating that it had completed and documented any 
of the required risk assessments. The department's comments are 
reprinted in appendix IV. 

* In an e-mail response on a draft of the report, a Department of 
Health and Human Services' Senior Information Security Officer stated 
that the department agreed with our recommendation to update its 
privacy policy. However, the department disagreed with the perceived 
finding that it had not made progress in conducting a PIA and reported 
recent efforts to do so. We did not intend to suggest that the 
department had not taken any steps to develop a PIA, and we updated 
our report to clarify that the department has taken actions to develop 
PIAs for its social media use. However, the agency has not yet 
completed its PIA and thus may lack assurance that all potential 
privacy risks have been evaluated and that protections have been 
identified to mitigate them. 

Three of the 21 agencies (the Departments of Agriculture and State; 
and the General Services Administration) did not concur with all of 
the recommendations made to them: 

* In written comments on a draft of the report, the Department of 
Agriculture's CIO disagreed with our recommendation that the 
department conduct and document a privacy impact assessment that 
evaluates potential privacy risks associated with agency use of social 
media services and identifies protections to address them. 
Specifically, the CIO stated that the department had completed a 
Privacy Threshold Analysis that indicated that a PIA was not required 
since the department did not solicit, collect, or retain PII through 
its social media sites. However, as indicated in our report, OMB's 
guidance states that when an agency takes action that causes PII to 
become accessible to agency officials--such as posting information on 
a Facebook page that allows the public to comment--PIAs are required. 
Without a PIA, the department may lack assurance that all potential 
privacy risks have been evaluated and that protections have been 
identified to mitigate them. The Department of Agriculture's comments 
are reprinted in appendix V. 

* In written comments on a draft of the report, the Department of 
State's Chief Financial Officer concurred with one of our two 
recommendations, but not the other. Specifically, regarding our 
recommendation that the department conduct and document a security 
risk assessment to assess security threats associated with agency use 
of commercially provided social media services and identify security 
controls that can be used to mitigate the identified threats, he 
stated that the department shared GAO's concern regarding the security 
of information in commercially provided social media but that since 
the department had already determined that its use of social media 
sites would be limited to providing the public with "low-impact" 
information, no further risk assessment or certification and 
accreditation was required. He further stated that the impact on 
confidentiality, integrity, and availability of systems with such non-
structured data could only be determined by policy, not by risk 
analysis and, therefore, a security risk assessment was not warranted. 
However, although limiting the type of information that is processed 
on third-party systems can be an effective mitigating security 
control, without conducting and documenting a risk assessment, agency 
officials cannot ensure that policies and mitigation measures 
effectively address potentially heightened threats associated with 
social media, including spear phishing and social engineering. The 
Department of State's comments are reprinted in appendix VI. 

* In written comments on a draft of the report, the Administrator of 
the General Services Administration partially agreed with our two 
recommendations. Regarding our recommendation that the agency update 
its privacy policies to describe whether PII made available through 
its use of social media services is collected and used, the 
Administrator noted that the agency was updating its privacy directive 
to describe the agency's practices for handling PII made available 
through the use of social media. Accordingly, we have updated our 
report to indicate that the agency has taken actions to update its 
privacy policies for its use of social media. Regarding our 
recommendation that the agency conduct and document a privacy impact 
assessment that evaluates potential privacy risks associated with 
agency use of social media services and identifies protections to 
address them, the Administrator stated that no PII is sought by or 
provided to GSA as a result of the agency's use of Facebook, YouTube, 
and Twitter and, therefore, the agency determined that conducting a 
PIA was unnecessary. However, as indicated in our report, OMB's 
guidance states that when an agency takes action that causes PII to 
become accessible to agency officials--such as posting information on 
a Facebook page that allows the public to comment--PIAs are required. 
Without a PIA, the department may lack assurance that all potential 
privacy risks have been evaluated and that protections have been 
identified to mitigate them. The General Services Administration's 
comments are reprinted in appendix VII. 

Four of the 21 agencies did not comment on the recommendations 
addressed to them. Specifically, the Departments of Labor and 
Transportation reported that they did not have any comments and the 
Department of the Treasury and Small Business Administration only 
provided technical comments, which we addressed in the final report as 
appropriate. 

In cases where these 21 agencies also provided technical comments, we 
have addressed them in the final report as appropriate. Agencies also 
provided with their comments information regarding actions completed 
or underway to address our findings and recommendations and we updated 
our report to recognize those efforts.[Footnote 33] Additional written 
comments are reprinted in appendices VIII through XVII. 

We also received e-mail responses from the 2 agencies to which we did 
not make recommendations. Specifically, the Department of the Interior 
provided technical comments via e-mail and the Department of Justice 
stated that it did not have comments on the draft of this report. 

As agreed with your office, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the report date. We will then send copies of this report to other 
interested congressional committees, Secretaries of the Departments of 
Agriculture, Commerce, Defense, Education, Energy, Health and Human 
Services, Homeland Security, Housing and Urban Development, the 
Interior, Labor, State, Transportation, the Treasury, and Veterans 
Affairs; the Attorney General; the Administrators of the Environmental 
Protection Agency, General Services Administration, National 
Aeronautics and Space Administration, Small Business Administration, 
and U.S. Agency for International Development; the Commissioner of the 
Social Security Administration; the Directors of the National Science 
Foundation and Office of Personnel Management; and the Archivist of 
the United States. The report will also be available at no charge on 
the GAO Web site at [hyperlink, http://www.gao.gov]. 

If you or your staff have any questions regarding this report, please 
contact me at (202) 512-6244 or at wilshuseng@gao.gov. Contact points 
for our Offices of Congressional Relations and Public Affairs may be 
found on the last page of this report. Key contributors to this report 
are listed in appendix XVIII. 

Gregory C. Wilshusen Director, Information Security Issues: 

List of Requesters: 

The Honorable Joseph I. Lieberman: 
Chairman: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Thomas R. Carper: 
Chairman: 
Subcommittee on Federal Financial Management, Government Information, 
Federal Services, and International Security: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Mark L. Pryor: 
Chairman: 
Subcommittee on Disaster Recovery and Intergovernmental Affairs: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Elijah Cummings: 
Ranking Member: 
Committee on Oversight and Government Reform: 
House of Representatives: 

The Honorable Wm. Lacy Clay: 
House of Representatives: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Our objectives were to: 

* describe how agencies are currently using commercially provided 
social media services, and: 

* determine the extent to which federal agencies have developed and 
implemented policies and procedures for managing and protecting 
information associated with the use of commercially provided social 
media services. 

To address our first objective, we examined the headquarters-level 
Facebook pages, Twitter accounts, and YouTube channels associated with 
each of the 24 major federal agencies covered by the Chief Financial 
Officers Act[Footnote 34] to describe the types of information 
agencies disseminated via the services and the nature of their 
interactions with the public.[Footnote 35] We selected these three 
services because of their widespread use within the federal government 
(23 out of 24 major agencies use each of the services) as well as 
their broad popularity with the public. We reviewed content on the 
social media pages, including agency posts as well as comments 
provided by the public, from July 2010 through January 2011. We 
categorized agency use based on types of information found on their 
social media pages. These categories were (1) reposting information 
available on agency Web sites; (2) posting content not available on 
agency Web sites; (3) soliciting comments; (4) responding to comments 
on posted content; and (5) providing links to non-government Web 
sites. Each agency social media page was reviewed by an analyst to 
determine whether information had been posted that fell into one of 
the five categories. Each identified example was corroborated by a 
second analyst. In the event no examples were identified for an agency 
in a specific category by the first analyst, the second analyst 
conducted an additional independent review of agency posts to confirm 
that none existed. 

To address our second objective, we reviewed pertinent records 
management, privacy, and security policies, procedures, guidance, and 
risk assessments in place at each of the 23 federal agencies and 
compared them to relevant federal records management, privacy, and 
security laws, regulations, and guidance.[Footnote 36] These included 
the Federal Records Act, the Privacy Act of 1974, the E-Government Act 
of 2002, the Federal Information Security Management Act of 2002 
(FISMA), as well as guidance from the National Archives and Records 
Administration (NARA), Office of Management and Budget (OMB), and 
National Institute of Standards and Technology (NIST). We interviewed 
officials at each of these agencies to discuss recent efforts to 
oversee the development of social media policies and procedures and 
assess risks. We also reviewed relevant reports and studies to 
identify records management, privacy, and security risks associated 
with social media use by federal agencies. We interviewed officials 
from OMB, NARA, and NIST, and members of the Chief Information Officer 
Council to develop further understanding of federal agency 
requirements for properly managing and protecting information 
associated with social media use. Further, we coordinated with the 
National Academy of Public Administration, which hosted a roundtable 
discussion on our behalf where views on these issues were solicited 
from federal agency officials involved in agency use of social media. 
Finally, we interviewed representatives of Facebook, Twitter, and 
YouTube to discuss records management, privacy, and security issues 
and their current and planned approaches regarding interactions with 
federal agencies. 

We conducted this performance audit from July 2010 to June 2011 in the 
Washington, D.C., area, in accordance with generally accepted 
government auditing standards. Those standards require that we plan 
and perform the audit to obtain sufficient, appropriate evidence to 
provide a reasonable basis for our findings and conclusions based on 
our audit objectives. We believe that the evidence obtained provides a 
reasonable basis for our findings and conclusions based on our audit 
objectives. 

[End of section] 

Appendix II: Recommendations to Departments and Agencies: 

Department of Agriculture: 

To ensure that appropriate privacy measures are in place when 
commercially provided social media services are used, we recommend 
that the Secretary of Agriculture take the following action: 

* Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of social media 
services and identifies protections to address them. 

Department of Commerce: 

To ensure that appropriate privacy and security measures are in place 
when commercially provided social media services are used, we 
recommend that the Secretary of Commerce take the following two 
actions: 

* Update privacy policies to describe whether PII made available 
through use of social media services is collected and used. 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

Department of Defense: 

To ensure that appropriate privacy and security measures are in place 
when commercially provided social media services are used, we 
recommend that the Secretary of Defense take the following action: 

* Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of social media 
services and identifies protections to address them. 

Department of Education: 

To ensure that appropriate privacy measures are in place when 
commercially provided social media services are used, we recommend 
that the Secretary of Education take the following action: 

* Update privacy policies to describe whether PII made available 
through use of social media services is collected and used. 

Department of Energy: 

To ensure that appropriate security measures are in place when 
commercially provided social media services are used, we recommend 
that the Secretary of Energy take the following action: 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

Department of Health and Human Services: 

To ensure that appropriate privacy measures are in place when 
commercially provided social media services are used, we recommend 
that the Secretary of Health and Human Services take the following 
action: 

* Update privacy policies to describe whether PII made available 
through use of social media services is collected and used. 

Department of Homeland Security: 

To ensure that appropriate security measures are in place when 
commercially provided social media services are used, we recommend 
that the Secretary of Homeland Security take the following action: 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

Department of Housing and Urban Development: 

To ensure that appropriate security measures are in place when 
commercially provided social media services are used, we recommend 
that the Secretary of Housing and Urban Development take the following 
action: 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of Twitter and YouTube and identify 
security controls that can be used to mitigate the identified threats. 

Department of Labor: 

To ensure that appropriate privacy measures are in place when 
commercially provided social media services are used, we recommend 
that the Secretary of Labor take the following action: 

* Update privacy policies to describe whether PII made available 
through use of social media services is collected and used. 

Department of State: 

To ensure that appropriate privacy and security measures are in place 
when commercially provided social media services are used, we 
recommend that the Secretary of State take the following two actions: 

* Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of Twitter and 
YouTube and identifies protections to address them. 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

Department of Transportation: 

To ensure that appropriate privacy and security measures are in place 
when commercially provided social media services are used, we 
recommend that the Secretary of Transportation take the following two 
actions: 

* Update privacy policies to describe whether PII made available 
through use of social media services is collected and used. 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

Department of the Treasury: 

To ensure that appropriate privacy measures are in place when 
commercially provided social media services are used, we recommend 
that the Secretary of the Treasury take the following action: 

* Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of social media 
services and identifies protections to address them. 

Department of Veterans Affairs: 

To ensure that appropriate records management and privacy measures are 
in place when commercially provided social media services are used, we 
recommend that the Secretary of Veterans Affairs take the following 
two actions: 

* Add records management guidance to agency social media policies that 
describes records management processes and policies and recordkeeping 
roles and responsibilities. 

* Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of social media 
services and identifies protections to address them. 

Environmental Protection Agency: 

To ensure that appropriate privacy and security measures are in place 
when commercially provided social media services are used, we 
recommend that the Administrator of the Environmental Protection 
Agency take the following two actions: 

* Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of social media 
services and identifies protections to address them. 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

General Services Administration: 

To ensure that appropriate privacy measures are in place when 
commercially provided social media services are used, we recommend 
that the Administrator of the General Services Administration take the 
following two actions: 

* Update privacy policies to describe whether PII made available 
through use of social media services is collected and used. 

* Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of social media 
services and identifies protections to address them. 

National Aeronautics and Space Administration: 

To ensure that appropriate privacy and security measures are in place 
when commercially provided social media services are used, we 
recommend that the Administrator of the National Aeronautics and Space 
Administration take the following three actions: 

* Update privacy policies to describe whether PII made available 
through use of social media services is collected and used. 

* Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of social media 
services and identifies protections to address them. 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

National Science Foundation: 

To ensure that appropriate records management and security measures 
are in place when commercially provided social media services are 
used, we recommend that the Director of the National Science 
Foundation take the following two actions: 

* Add records management guidance to agency social media policies that 
describes records management processes and policies and recordkeeping 
roles and responsibilities. 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

Office of Personnel Management: 

To ensure that appropriate privacy and security measures are in place 
when commercially provided social media services are used, we 
recommend that the Director of the Office of Personnel Management take 
the following two actions: 

* Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of social media 
services and identifies protections to address them. 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

Small Business Administration: 

To ensure that appropriate privacy measures are in place when 
commercially provided social media services are used, we recommend 
that the Administrator of the Small Business Administration take the 
following action: 

* Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of social media 
services and identifies protections to address them. 

Social Security Administration: 

To ensure that appropriate privacy measures are in place when 
commercially provided social media services are used, we recommend 
that the Commissioner of the Social Security Administration take the 
following action: 

* Update privacy policies to describe whether PII made available 
through use of social media services is collected and used. 

U.S. Agency for International Development: 

To ensure that appropriate records management and security measures 
are in place when commercially provided social media services are 
used, we recommend that the Administrator of the U.S. Agency for 
International Development take the following two actions: 

* Add records management guidance to agency social media policies that 
describes records management processes and policies and recordkeeping 
roles and responsibilities. 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

[End of section] 

Appendix III: Comments from the National Archives and Records 
Administration: 

National Archives: 
National Archives And Records Administration:
8601 Adelphi Road: 
College Park, MD 20740-6001: 
[hyperlink, http://www.archives.gov] 

Via email: 

May 24 2011: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 
United States Government Accountability Office: 
44 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Wilshusen, 

Thank you for the opportunity to review and comment on the draft 
report GAO-11-605, Social Media: Federal Agencies Need Policies and 
Procedures for Managing and Protecting Information They Access and 
Disseminate. We are pleased to note the positive recognition of our 
October 2010 bulletin on managing social media records as a basis for 
consistently and appropriately categorizing and preserving social 
media content as records. 

We concur with the recommendation that NARA develop guidance on 
effectively capturing records from social media sites, and will 
incorporate best practices in this guidance. 

If you have questions regarding this information, please contact Mary 
Drak by email at may.drak@nara.gov or by phone at 301-837-1668. 

Signed by: 

David S. Ferriero: 
Archivist of the United States: 

[End of section] 

Appendix IV: Comments from the Department of Commerce: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

United States Department Of Commerce: 
The Secretary of Commerce: 
Washington, D.C. 20230: 

May 27, 2011: 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Wilshusen:  

Thank you for the opportunity to comment on the draft report from the 
U.S. Government Accountability Office (GAO) entitled, Social Media: 
Federal Agencies Need Policies and Procedures for Managing and 
Protecting Information They Access and Disseminate (GAO-11-605). The 
Department of Commerce (Department) takes very seriously the privacy of 
visitors to all its Web sites, including its social media presence.  

We concur with the report's recommendation that the Department should 
update its privacy policies to reflect in more detail the importance 
of addressing personally identifiable information when employing 
social media. We do note that the Department of Commerce Policy on the 
Approval and Use of Social Media and Web 2.0 does stipulate that 
privacy impact assessments must be addressed and privacy policy 
statements must be formulated when establishing a social media site.  

Regarding the second GAO recommendation, we concur with the important 
emphasis on conducting security risk assessments and identifying 
security controls to mitigate risks associated with agency use of 
social media services. The Department's Policy on the Approval and Use 
of Social Media and Web 2.0 requires bureau Chief Information Officers 
to carry out a risk-based assessment of social media technologies, in 
accordance with National Institute of Standards and Technology and the 
Federal Information Security Management Act (FISMA) IT security risk 
management framework principles, before such technologies are put into 
use. The policy requires this assessment to address whether access to 
that technology should be permitted, and whether any limitations on 
access or usage, e.g., to potentially include IT security controls, are 
warranted. The policy also dedicates a section to security guidelines 
and recommends a variety of mitigating controls that touch on various 
families of FISMA controls, including account administration, password 
control, password requirements, permission levels, desktop computer 
and browser configuration, scanning of files, and account monitoring. 
[See comment 1] 

We believe that the risk assessments required by the Department's 
policy effectively meet the spirit of the GAO recommendation. If the 
GAO recommendation is meant to imply that a single high-level risk 
assessment of the use of social media services should be conducted, we 
believe that such an assessment would not capture the local context of 
each individual use of social media services. Risk assessments of each 
instance of social media use include the particular use case, 
specifics regarding the information involved, of, purpose and mission 
need supported by the use of such services. We feel that conducting a 
risk assessment for each use, as required by the Department's policy, 
better captures details regarding the usage, and consequently, more 
clearly elucidates the risks and risk-related tradeoffs than carrying 
out a single assessment. 

We are currently in the process of revising our privacy policy to 
address that recommendation and look forward to receiving the final 
report. If you have any questions regarding the Department's response, 
please contact Diana Hynek in the Office of the Chief Information 
Officer at (202) 482-0266. 

Sincerely, 

Signed by: 

Gary Locke: 

The following are GAO's comments to the U.S. Department of Commerce's 
letter dated May 27, 2011. 

GAO Comments: 

1. The department did not provide documentation demonstrating that it 
had completed and documented any of the required risk assessments. 

[End of section] 

Appendix V: Comments from the U.S. Department of Agriculture: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

USDA: 
United States Department of Agriculture: 
Office of the Chief Information Officer: 
1400 Independence Avenue S.W. 
Washington, DC 20250: 

May 27, 2011: 

To: Gregory Wilshusen: 
Director, Information Security Issues: 
Government Accountability Office: 

From: [Signed by] Christopher L. Smith: 
Chief Information Officer: 
Office of the Chief Information Officer: 

Subject: U.S. Department of Agriculture Review of GAO Draft Report
GAO-11-605 "Social Media — Federal Agencies Need Policies and 
Procedures for Managing and Protecting Information They Access and 
Disseminate" 

Thank you for the opportunity to review the subject Draft Report. In 
response to GAO's findings, conclusions, and recommendations, the U.S. 
Department of Agriculture (USDA) submits the following responses: 

Table 2: Extent to Which Major Federal Agencies Have Developed 
Policies and Procedures for Using Social Media: 

1. Document processes and policies and record-keeping roles and 
responsibilities for how social media records are identified and 
managed. 

a. USDA partially agrees with this finding. USDA provided the
following information in writing to GAO on this issue during this 
social media use engagement: 

i. The records management policy addresses identifying and managing 
records in all media, regardless of physical form or characteristics 
(paper and electronic including email and web sites) throughout their 
life cycle. USDA policy documentation relating to records management 
can be found in attachment A, Departmental Regulation DR 3080-001 
"Records Management." 

ii. We are awaiting guidance from the National Archives and
Records Administration (NARA) that will specifically address 
strategies for capturing, preserving and managing social media 
electronic records throughout their life cycle. We will update USDA 
policies accordingly once NARA guidance becomes available. 

iii. USDA maintains records of comments on the blog, takes screen 
shots of deleted comments on Facebook, and saves text from Facebook 
chats. The Office of Communications is currently evaluating Twitter 
archiving tools available in the market place. 

iv. USDA is currently in the process of drafting a social media record 
keeping System of Records Notice. 

Since the completion of GAO's engagement at USDA, the Department has 
completed its draft policy titled "New Media Roles, Responsibilities 
and Authorities" (attachment B). This draft policy addresses records 
management across all aspects of Web 2.0 media. This draft policy is 
currently under internal USDA review. [See comment 1] 

2. Update Privacy policy to discuss use of Personally Identifiable
Information (PH) made available through social media. 

a. USDA partially agrees with this finding. USDA has updated their
Privacy Policy Statement on its social media web site to specifically 
address Privacy Act protected data. Please see screen shot from USDA's 
Social Media and Tools web page (attachment C). 

b. Additionally, USDA has updated its Privacy Policy, draft
Departmental Regulation 3515-XXX (attachment D) to address the 
collection of PII via USDA web sites: 

"Every USDA Web site must clearly and concisely inform visitors about 
what information the Web site collects about individuals, why the 
information is collected, and how it is used. No agency/mission area 
will collect personal information about individuals when they visit 
USDA Web sites unless the visitor chooses to provide that 
information." [See comment 2] 

3. Conduct Privacy Impact Assessment (PIA) for social media use. 

a. USDA disagrees with this finding. USDA completed a Privacy
Threshold Analysis (PTA) on the use of social media by USDA on
September 14, 2010 (attachment E). The results of this PTA indicate 
that a PIA is not required for social media use within USDA. 

GAO recommendation to USDA: 

Conduct and document a PIA that evaluates potential privacy risks 
associated with agency use of social media services and identifies 
protections to address them. 

USDA Response: 

USDA completed a PTA on the use of social media as a public
communications vehicle on September 14, 2010. The results of the PTA 
indicated that a PIA was not required as USDA does not solicit, 
collect or retain. PII through its social media sites. 

USDA uses social media to increase its public information outreach 
programs beyond USDA.gov internet web presence. USDA does not solicit 
nor collect PII from the public via its social media presence. Please 
see the attachment E, USDA Privacy Threshold Analysis (Social Media 
Websites (Facebook, Twitter, and YouTube). 

If further information is needed, please contact Sherry Linkins, 
Office of the Chief Information Officer Audit Liaison, at 202-720-9293. 

Attachments: 

cc: Richard Coffee, Acting ACIO-CPPO: 
Yvonne Jackson, ACIO-TPA&E: 
Christopher Lowe, ACIO-ASOC: 
Ravoyne Payton, USDA Privacy Officer: 
Cynthia Schwind, OCIO: 
Sherry Linkins, Audit Liaison, OCIO: 
Wayne Moore, Director Office of Communications: 
Lennetta Elias, Program Analyst, OCFO: 

The following are GAO's comments to the U.S. Department of 
Agriculture's letter dated May 27, 2011. 

GAO Comments: 

1. After reviewing additional documentation and comments provided by 
department representatives, we updated our report to indicate that the 
department asserted that it is taking actions to develop records 
management guidance for social media use, although it has not yet been 
completed. We have not evaluated these actions. 

2. After reviewing the updated privacy policy on the Department's Web 
site, we agree that the agency has met the requirement, and we have 
modified table 2 in the final report to reflect that the department 
has updated its policy. 

3. We believe that a PIA is required. As indicated in our report, 
OMB's guidance states that when an agency takes action that causes PII 
to become accessible to agency officials--such as posting information 
on a Facebook page that allows the public to comment--PIAs are 
required. Without a PIA, the department may lack assurance that all 
potential privacy risks have been evaluated and that protections have 
been identified to mitigate them. 

[End of section] 

Appendix VI: Comments from the Department of State: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

United States Department of State: 
Chief Financial Officer: 
Washington, D.C. 20520: 

Ms. Jacquelyn Williams-Bridgers: 
Managing Director: 
International Affairs and Trade: 
Government Accountability Office: 
441 G Street, N.W. 
Washington, D.C. 20548-0001: 

May 31, 2011: 

Dear Ms. Williams-Bridgers: 

We appreciate the opportunity to review your draft report,
"Social Media: Federal Agencies Need Policies and Procedures for
Managing and Protecting Information They Access and Disseminate," GAO
Job Code 311048. 

The enclosed Department of State comments are provided for 
incorporation with this letter as an appendix to the final report.
If you have any questions concerning this response, please contact
Christina Jones, Privacy Division Chief, Bureau of Administration at 
(202) 261-8407 and George Moore, Chief Computer Scientist, Bureau of
Information Resource Management at (703) 812-2203. 

Sincerely, 

Signed by: 

James L. Millette: 

cc: GAO — Greg Wilshusen: 
A — William H. Moser: 
IRM — Susan H. Swart: 
State/OIG — Evelyn Klemstine: 

[End of letter] 

Department of State Comments on GAO Draft Report: 

Social Media: Federal Agencies Need Policies and Procedures for
Mannino and Protecting Information They Access and Disseminate
(GAO-11-6050 GAO Code 311048): 

The Department of State appreciates the opportunity to comment on 
GAO's draft report, "Social Media: Federal Agencies Need Policies and 
Procedures for Managing and Protecting Information They Access and 
Disseminate." 

Recommendation: Conduct and document a privacy impact assessment that
evaluates potential privacy risks associated with agency use of 
Twitter and YouTube and identifies protections to address them. 

Response: The Department concurs with the recommendation and has 
reviewed its current policy on privacy impact assessments (PIA). To 
that end, the Department will revise the current Facebook PIA to 
reflect a more comprehensive risk assessment that will incorporate all 
social media technologies, such as YouTube and Twitter. [See comment 1] 

Recommendation: Conduct and document a security risk assessment to 
assess security threats associated with agency use of commercially 
provided social media services and identify security controls that can 
be used to mitigate the identified threats. 

Response: The Department shares GAO's concern regarding the security of
information in commercially provided social media. However, the 
Department disagrees with the GAO recommendation, as stated. [See 
comment 2] 

The State Internet Steering Committee recently developed a policy for 
State officials who use such sites in an official capacity. This 
policy is being incorporated into training modules and user agreements 
to ensure that these officials keep sensitive information off of these 
sites. The Department has already determined that use of social media 
sites to provide communication with the public is a valuable tool so 
long as only low-impact information is provided. Moreover, as long as 
this policy is followed, no further risk assessment and/or 
certification and accreditation is required. 

Note that no a-priori risk assessment of these sites is likely to 
provide meaningful results, since the data is non-structured, and 
uninformed users could (if careless or malicious) place sensitive 
information on these sites, just as they could currently leak it to 
the press. The impact on confidentiality, integrity, and availability 
of systems with such non-structured data can only be determined by 
policy (limit data to low-impact data, for example), not by risk 
analysis. Therefore, in our view a Security Risk Assessment at State 
is not warranted at this time. 

The following are GAO's comments to the Department of State's letter 
dated May 31, 2011. 

GAO Comments: 

1. After reviewing additional comments provided by department 
representatives, we updated our report to indicate that the department 
has plans to develop a PIA for its use of YouTube and Twitter. 

2. We believe that conducting and documenting a risk assessment is 
necessary. Although limiting the type of information that is processed 
on third-party systems can be an effective mitigating security 
control, without conducting and documenting a risk assessment, agency 
officials cannot ensure that appropriate controls and mitigation 
measures are in place to address potentially heightened threats 
associated with social media, including spear phishing and social 
engineering. 

[End of section] 

Appendix VII: Comments from the General Services Administration: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

The Administrator: 
U.S. General Services Administration: 
1275 First Street NE:  
Washington, DC 20417: 
Telephone: (202)501-4900: 
Fax (202)219-1243: 

June 3, 2011: 

The Honorable Gene L. Dodaro: 
Comptroller General of the United States: 
U.S. Government Accountability Office: 
Washington, DC 20548: 
 
Dear Mr. Dodaro:  

The U.S. General Services Administration (GSA) appreciates the 
opportunity to review and comment on the draft report, "Social Media: 
Federal Agencies Need Policies and Procedures for Managing and 
Protecting Information They Access and Disseminate" (GAO-11-605). The 
U.S. Government Accountability Office (GAO) recommends that the GSA 
Administrator ensure that appropriate privacy measures are in place 
when commercially provided social media services are used. GAO 
recommended two specific actions for GSA, discussed below. We agree in 
part to both recommendations. GSA is in the process of updating our 
privacy policy and provides clarifying information  regarding GSA's 
use of Privacy Impact Assessments (PIA's).  

Recommendation 1: GAO recommends GSA update privacy policies to 
describe whether PII made available through use of social media 
services is collected and used."  

GSA takes its responsibilities regarding the protection of 
individuals' PII seriously. For  example, GSA's new Social Media 
Navigator, available at www.gsa.gov/socialmedia, states the Agency's 
privacy policy relative to social media. It contains:  

Privacy Considerations: The Government requires public-facing websites 
to conduct privacy impact assessments if they coiled personally 
identifiable information. They should post a "Privacy Act Statement" 
that describes the Agency's legal authority for collecting personal 
data and how the data will be used. Privacy policies on each website 
are also required in a standardized machine-readable format such as 
the Platform for Privacy Preferences Project, or P3P. Information on 
Web 2.0 platforms is accessible by others, so do not disclose Privacy 
Act protected information or other personally identifiable information 
unless authorized to do so in that medium.  

Furthermore, since our initial meetings with GAO, the Privacy Office 
studied other agencies' privacy policies that incorporate guidance 
relative to social media. Accordingly, GSA is updating its Privacy 
Directive to state the Agency's practice of handling PII when it is 
made available through the use of social media. The revised directive 
will be posted when it has completed the concurrence process.  

Recommendation 2: GAO recommends GSA "conduct and document a privacy 
impact assessment that evaluates potential privacy risks associated 
with agency use of social media services and identifies protections to 
address them."  

GAO limited its review to Facebook, Twitter, and YouTube. As discussed 
on an April 14 teleconference and through additional information 
provided Mr. Merinos relative to the draft statement of facts, we 
would like to clarify here again that GSA uses Facebook,
YouTube, and Twitter for one-way marketing. No PII is sought or 
provided to GSA as a result of our use of Facebook, YouTube, or 
Twitter. Therefore, a PIA is unnecessary. In contrast, when GSA plans 
to use social media providers for two-way communication wherein PII is 
potentially received from the public, GSA does indeed "conduct and 
document a privacy impact assessment that evaluates potential privacy 
risks associated with agency use of social media services and 
identifies protections to address them." Furthermore, GSA publicly 
posts its PIAs as illustrated by these examples: [See comment 2] 

Challenge Post PIA: [hyperlink, 
http://www.gsagov/graphies/staffoffices/CkallengeGovPIA.doc] 

Citizen Engagement PIA: [hyperlink, 
http://www.gsa.govtgraphics/staffoffices/CEP_Tools_PIA_061810.doc] 

Open Government Citizen Engagement Tool: [hyperlink, 
http://www.gsa.gov/graphics/staffoffices/OpenGovtEngagementToolOCSC_0216
10.doc] 

Technical comments that update and clarify statements in the draft 
report are enclosed. Should you have any questions, please do not 
hesitate to contact me. Staff inquiries may be directed to Ms. Casey 
Coleman, Chief Information Officer. She can be reached at (202) 501-
1000. 

Sincerely. 

Signed by: 

[Illegible], for: 

Martha Johnson: 
Administrator: 

Enclosure: 

cc: Mr. Gregory C. Wilshusen, Director, Information Technology 
Security Issues, GAO: 

The following are GAO's comments to the General Services 
Administration's letter dated June 3, 2011. 

GAO Comments: 

1. After reviewing additional comments provided by agency 
representatives, we updated our report to indicate that the agency 
asserted that it is taking actions to develop privacy policies 
addressing the agency's use of PII made available through social media 
services. We have not evaluated these actions. 

2. We believe that a PIA is required. As indicated in our report, 
OMB's guidance states that when an agency takes action that causes PII 
to become accessible to agency officials--such as posting information 
on a Facebook page that allows the public to comment--PIAs are 
required. Without a PIA, the agency may lack assurance that all 
potential privacy risks have been evaluated and that protections have 
been identified to mitigate them: 

[End of section] 

Appendix VIII: Comments from the Department of Defense: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

Assistant Secretary Of Defense: 
Networks And Information Integration: 
6000 Defense Pentagon: 
Washington, D.C. 20301-6000 

May 27, 2011: 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

In response to the GAO Draft Report, GA0-11-605, "Social Media: Federal
Agencies Need Policies and Procedures for Managing and Protecting 
Information They Access and Disseminate," dated May 6, 2011 (GAO Code 
311048), the Department of Defense concurs with the first of the two 
recommendations. A privacy impact assessment that evaluates potential 
privacy risks associated with agency use of social media services and 
identifies protections to address those risks has been conducted. 
Documentation is in the final approval process and is planned for 
completion by July 29, 2011. [See comment 1] 

Regarding the second recommendation, documentation of the assessment 
of security risks associated with DoD use of social media and 
identification of security controls that can be used to mitigate the 
identified risks was provided to your office on May 12, 2011. 
Consequently, your office has agreed to omit this recommendation from 
the final report. [See comment 2] 

The point of contact for this matter is Mr. Terry Davis, at email: 
terry.w.davis@osd.mil and telephone: 703-699-0107. 

Sincerely, 

Signed by: 

Teresa M. Takai: 
Principal Deputy: 

The following are GAO's comments to the Department of Defense's letter 
dated May 27, 2011. 

GAO Comments: 

1. We updated our report to indicate that the department asserted that 
it is taking actions to develop a PIA for its social media use, 
although it has not yet been finalized. We have not evaluated these 
actions. 

2. After reviewing the additional documentation provided, we agree 
that the department met the requirement of conducting and documenting 
a security risk assessment. We modified the report, as appropriate, 
and removed the recommendation. 

[End of section] 

Appendix IX: Comments from the Department of Education: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

United States Department Of Education: 
Office Of Communications And Outreach: 
The Assistant Secretary: 
400 Maryland Ave. S.W. 
Washington, DC 20202-3500: 
[hyperlink, http://www.ed.gov] 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

I am writing in response to the recommendation made in the U.S. 
Government Accountability Office (GAO) draft report, "Social Media: 
Federal Agencies Need Policies and Procedures for Managing and 
Protecting Information They Access and Disseminate" (GA0-11-605). I 
appreciate the opportunity to comment on the draft report on behalf of 
the U.S. Department of Education (Department). 

Social media tools are important to the Department's efforts to 
communicate with the public. We are using Facebook, Twitter, You Tube, 
and a blog to share information and engage the public in a 
conversation about improving education. (See our list of social media 
pages and accounts at [hyperlink, 
http://www2.ed.gov/aboutioverview/focus/social-media.html].) And we 
are taking steps to ensure that when we use social media, we meet
our legal obligations and requirements. 

The Department's response to the report's recommendation follows, 
along with additional comments on Table 2 in the report. 

Recommendation: To ensure that appropriate privacy measures are in 
place when commercially provided social media services are used, we 
recommend that the Secretary of Education take the following action. 

* Update privacy policies to describe whether PII made available 
through use of social media services is collected and used. 

Response: The Department agrees with GAO's recommendation. Our privacy 
policy has been updated to describe how we treat personally 
identifiable information (PII). The policy includes the following 
statement: 

"...please be aware that the privacy protection provided at ED.gov may 
not be available on [these] third-party sites. Please note that when 
ED uses social media sites, ED does not collect or in any way use 
personally identifiable information." [See comment 1] 

To read our complete privacy policy, please see the materials at the 
following Web address: [hyperlink, 
http://www2.ed.aovinotices/privacy/index.html#social-media]. 

In addition, the Department would like to comment on several points in 
the draft report. 

1. Table 2 in the draft report indicates that the Department has not 
"document[ed] processes and policies and record-keeping roles and 
responsibilities for how social media records are identified and 
managed." 

The Privacy, Information, and Records Management Services team in our 
Office of Management developed and distributed for comment in early 
May 2011 draft guidance for records management related to social 
media. This guidance describes the principles and questions that the 
Department's principal offices and staff will use when analyzing, 
scheduling, and managing records related to social media. This 
guidance is under review within the Department, and we expect it to be 
issued in final form by the end of fiscal year (FY) 2011. [See comment 
2] 

2. Table 2 indicates that the Department has not "conduct[ed] privacy 
impact assessment for social media use." 

The Privacy, Information, and Records Management Services team in the 
Department's Office of Management developed and distributed in early 
May 2011 a draft "Privacy Impact Assessment for Social Media Websites 
and Applications." This draft is under review within the Department, 
and we expect it to be issued in final form by the end of FY 2011. 
[See comment 3] 

This draft privacy impact assessment (PIA) covers all Department 
current and authorized social media Web sites and applications that 
are functionally comparable; including those owned by the.Department 
or by a third party. None of the social media Web sites and 
applications covered by the PIA solicit, collect, maintain, or 
disseminate sensitive PII from individuals who interact with these 
authorized social media Web sites and applications. For any social 
media uses that raise privacy risks that are distinct and different 
from those covered by this PIA, the Department will prepare a separate 
PIA. 

3. Table 2 indicates that the Department has not "identify[ed] 
security risks associated with agency use of social media and security 
controls to mitigate risks." 

We have in fact taken steps to identify and contain security risks by 
significantly limiting social media access and use to only those 
Department staff who have articulated a business need for such access 
or use. We have also conducted a security risk assessment of social 
media. This risk assessment recommends policy, procedural, and 
technical mitigations that may be employed to lessen the potential 
impact of these risks. The risk assessment is in draft and has not yet 
been finalized. [See comment 4] 

4. Finally, we have developed a draft comprehensive social media 
policy for the Department that will govern the use of social media for 
all employees. This policy discusses privacy, security, records 
management, and related legal requirements. The development of its 
contents was coordinated with the development of the above-mentioned 
records management policy and PIA. This social media policy is 
currently under review within the Department, and we expect it to be 
issued in final form by the end of FY 2011. 

We appreciate the opportunity to review the draft report and comment 
on the recommendation. If you have any questions or concerns regarding 
our response, please have your staff contact Kirk Winters at (202) 401-
3540 or kirk.winters@ed.gov. 

5/25/11: 

Sincerely, 

Signed by: 
Peter Cunningham: 
Assistant Secretary: 

The following are GAO's comments to the Department of Education's 
letter dated May 25, 2011. 

GAO Comments: 

1. After reviewing the privacy policy on the department's Web site, we 
updated our report to indicate that the department asserted that it is 
taking actions to develop privacy policies addressing the agency's use 
of PII made available through social media services. We confirmed 
these actions. 

2. After reviewing additional efforts stated by the department, we 
updated our report to indicate that the department asserted that it is 
taking actions to develop records management guidance for social media 
use, although such guidance has not yet been finalized. We have not 
evaluated these actions. 

3. After reviewing additional efforts stated by the department, we 
updated our report to indicate that the department asserted that it is 
taking actions to conduct and document a PIA related to its use of 
social media, although it has not yet been finalized. We have not 
evaluated these actions. 

4. After reviewing additional efforts stated by the department, we 
updated our report to indicate that the department asserted that it is 
taking actions to conduct and document a security risk assessment 
related to its use of social media, although the assessment has not 
yet been finalized. We have not evaluated these actions. 

[End of section] 

Appendix X: Comments from the Department of Homeland Security: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

June 6, 2011: 

Gregory C. Wilshusen: 
Director: 
Information Security Issues:
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Re: Draft Report GA0-11-605, "Social Media: Federal Agencies Need 
Policies and Procedures for Managing and Protecting Information They 
Access and Disseminate" 

Dear Mr. Wilshusen: 

Thank you for the opportunity to review and comment on this draft 
report, The U.S. Department of Homeland Security (DHS) appreciates the 
U.S. Government Accountability Office's (GAO's) work in planning and 
conducting its review and issuing this report. 

We are pleased to note the draft report is broadly supportive of the 
Department's efforts to develop and implement policies and procedures 
to address the challenges of managing and protecting information 
accessed and disseminated using social media services. For example, 
the report recognizes that DHS has updated its privacy policy to 
discuss the use of personally identifiable information made available 
through these services and to prohibit the collection of such 
information by DHS officials. 

The draft report also recognizes DHS conducted a privacy impact 
assessment that assessed the risks of the Agency's use of social 
networking tools, including the potential for Agency access to the 
personal information of individuals interacting with the
Department on such sites. Moreover, the one report recommendation 
directed at DHS, which we plan to implement, is consistent with the 
DHS Chief Information Security Officer's (CISO's) mission of ensuring 
the security of the Department's systems and information. Nonetheless, 
DHS does not believe the report appropriately recognizes existing 
Departmental policy for use of social media services. For example, 
DHS' existing policy and procedures have required risk assessments to 
be performed prior to implementing information systems and new 
technologies such as social media since January 2003. 

To better highlight policy requirements related to the new social 
media technologies, in July 2009, DHS established a separate section 
in the policy dedicated to social media (Section 3.16 — Social Media, 
DHS Sensitive Systems Policy Directive 4300A). 

In late May 2011, DHS also finalized the DI-IS 43004 Sensitive Systems 
Handbook, Attachment X — Social Media. Attachment X expands on the 
existing DHS policy provided in Section 3.16 - Social Media, DHS 
Sensitive Systems Policy Directive 4300A, and DHS Management Directive 
(MD) 4400.1, Web (Internet, Intranet, and Extranet Information) and 
Information Systems. [See comment 1] 

Attachment X also provides information security guidance regarding 
official (work-related) and unofficial (personal) social media use 
within and outside the Department network. it specifically describes 
the governance of social media sites across DHS and addresses the use 
of social media technologies in three scenarios: 

* Required Work-Related Use; 
* Unofficial/Personal Use at Work; 
* Unofficial/Personal Use Outside of Work. 

Additionally, Attachment X addresses social media and its associated 
risks and best practices and guidance regarding social media use by 
DHS employees and contractors. 

The draft report contained one recommendation directed to DHS. 
Specifically, to ensure that appropriate security measures are in 
place when commercially-provided social media services are used, GAO 
recommend that the Secretary of Homeland Security: 

Recommendation: Conduct and document a security risk assessment to 
assess security threats associated with agency use of commercially-
provided social media services and identify security controls that can 
be used to mitigate the identified threats. 

Response: Concur. The DHS CISO will conduct and document the 
recommended security risk assessment. Estimated completion date: March 
i, 2012. 

Again, thank you for the opportunity to review and comment on this 
draft report. We look forward to working with you on future Homeland 
Security issues. 

Sincerely, 

Signed by: 

Jim H. Crumpacker: 
Director: 
Departmental GAO/OIG Liaison Office: 

The following are GAO's comments to the Department of Homeland 
Security's letter dated June 6, 2011. 

GAO Comments: 

1. After reviewing additional efforts stated by the department, we 
updated our report to indicate that the department asserted that it is 
taking actions to conduct and document a security risk assessment 
related to its use of social media, although the assessment has not 
yet been finalized. We have not evaluated these actions. 

[End of section] 

Appendix XI: Comments from the Department of Housing and Urban 
Development: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

U.S. Department of Housing and Urban Development: 
Chief Information Officer
Washington, DC 20410-3000: 

May 27, 2011: 

Mr. Gregory C. Wilshusen: 
Director: 
Information Technology: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to comment on the Government 
Accountability Office (GAO) draft report entitled, Social Media: 
Federal Agencies Need Policies and Procedures for Managing and 
Protecting Information They Access and Disseminate (GAO-11-605). 

The Department of Housing and Urban Development (HUD) reviewed the 
draft report and concurs with the following recommendation for 
executive action: 

To ensure that appropriate security measures are in place when 
commercially provided social media services are used, we recommend 
that the Secretary of Housing and Urban Development take the following 
action. 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of Twitter and YouTube and identify 
security controls that can be used to mitigate the identified threats. 

HUD complied with the recommendation by conducting security risk 
assessments on agency use of Twitter and YouTube. The enclosed 
documentation will verify that appropriate security controls are in 
place to mitigate identified risks. [See comment 1] 

If you have any questions or require additional information, please 
contact Joyce M. Little. Director, Office of Investment Strategies 
Policy and Management at (202) 402-7404. 

Sincerely, 

Signed by: 

[Illegible] for: 

Jerry E. Williams: 
Chief Information Officer: 

Enclosures: 

The following are GAO's comments to the Department of Housing and 
Urban Development's letter dated May 27, 2011. 

GAO Comments: 

1. After reviewing the additional documentation provided, we updated 
our report to indicate that the department asserted that it is taking 
actions to conduct and document a security risk assessment related to 
its use of social media. We confirmed these actions. 

[End of section] 

Appendix XII: Comments from the Department of Veterans Affairs: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

Department of Veterans Affairs: 
Washington DC 20420: 

May 31, 2011: 

Mr. Randall B. Williamson: 
Director, Health Care: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Williamson: 

The Department of Veterans Affairs (VA) has reviewed the Government
Accountability Office's (GAO) draft report, "Social Media: Federal 
Agencies Need Policies and Procedures for Managing and Protecting 
Information They Access and Disseminate" (GAO-11-605), and generally 
agrees with GAO's conclusions and concurs with GAO's recommendations 
to the Department. 

The enclosure specifically addresses GAO's recommendations and 
provides comments to the report. VA appreciates the opportunity to 
comment on your draft report. 

Sincerely, 

Signed by: 

John R. Gingrich: 
Chief of Staff: 

Enclosure: 

Department of Veterans Affairs (VA) Comments to Government 
Accountability Office (GAO) Draft Report: Social Media: Federal 
Agencies Need Policies and Procedures for Managing and Protecting 
Information They Access and Disseminate (GAO-11-605): 

To ensure that appropriate records management and privacy measures are 
in place when commercially provided social media services are used, 
GAO recommends that the Secretary of Veterans Affairs take the 
following two actions: 

Recommendation 1: Add records management guidance to agency social 
media policies that describes records management processes and 
policies and recordkeeping roles and responsibilities. 

VA Comment: Concur. Records management guidance has been added to the 
draft Social Media Policy which is currently in concurrence within the 
Department. [See comment 1] 

Recommendation 2: Conduct and document a privacy impact assessment 
that evaluates potential privacy risks associated with agency use of 
social media services and identifies protections to address them. 

Comments: Concur. VA understands and acknowledges the need for 
conducting Privacy Impact Assessments (PIA) on social media services 
in use by the Department in order to identify and address privacy 
risks associated with the use of these services, and to provide 
protections that address these risks. The Office of Public and
Intergovernmental Affairs (OPIA) will be working closely with the 
Office of Information and Technology and health experts in the 
Veterans Health Administration to ensure that the appropriate 
assessments and protections are conducted and implemented.
OPIA drafted a template for conducting these PIAs. VA estimates the 
PIA acceptance will be completed by June 30, 2011. [See comment 2] 

VA is also in the process of making changes to its draft Web-based 
Collaboration Tools policy. The changes will require PIAs for all Web-
based collaboration tools that will be placed on VA's intranet, 
Internet, or for any social media website hosted by a third party. 

The following are GAO's comments to the Department of Veterans 
Affairs' letter dated May 31, 2011. 

GAO Comments: 

1. After reviewing additional comments provided by department 
representatives, we updated our report to indicate that the department 
asserted that it is taking actions to develop records management 
guidance for social media use, although the guidance has not yet been 
finalized. We have not evaluated these actions. 

2. After reviewing additional comments provided by department 
representatives, we updated our report to indicate that the department 
asserted that it is taking actions to develop a PIA for its social 
media use, although the PIA has not yet been finalized. We have not 
evaluated these actions. 

[End of section] 

Appendix XIII: Comments from the Environmental Protection Agency: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

United States Environmental Protection Agency: 
Office Of Environmental Information: 
Washington, D.C. 20460: 

May 25, 2011: 

Mr. Gregory C. Wilshusen: 
Director: 
Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Re: EPA Comments on the Government Accountability Office's (GAO) draft 
report entitled: Social Media: Federal Agencies Need Policies and 
Procedures for Managing and Protecting Information They Access and 
Disseminate (GAO-11-605): 

Dear Mr. Wilshusen: 

This letter provides the U.S. Environmental Protection Agency's (EPA) 
comments on GAO's draft report entitled: Social Media: Federal 
Agencies Need Policies and Procedures for Managing and Protecting 
Information They Access and Disseminate (GAO-11-605). EPA appreciates 
the review GAO has conducted with 24 major agencies, as well as the 
opportunity to provide comments on this draft report. 

EPA understands the importance of access to its environmental 
information and is fully committed to using social media to make its 
information available to an even wider audience. This is a timely GAO 
report as social media offers many exciting opportunities, while at 
the same time creating special challenges for federal agencies. 

Here at EPA, we understand the need to provide our staff with 
policies, procedures and guidance as they continue to implement social 
media. With the need to ensure that proper records are maintained, 
that privacy is protected, and that EPA's information systems are 
protected from security threats and risks, it is vital that EPA have 
clear processes in place to address these issues. EPA is currently in 
the final stages of completing the Social Media Policy along with 
three accompanying procedures: Using Social Media Internally at EPA, 
Using Social Media to Communicate with the Public, and Representing 
EPA Online Using Social Media. 

EPA appreciates the recommendations set forth in the GAO draft report. 
As we continue to move forward with the use of social media, the 
Agency has made these recommendations a priority. 

I have enclosed our specific technical comments to the GAO 
recommendations. If you would like to discuss these matters further, 
please contact me at 202-564-6665, or your staff may contact Todd 
Holderman, Director of the Information Access Division, at 202-564-
8598. 

Sincerely, 

Signed by: 

Malcolm D. Jackson: 
Assistant Administrator and Chief Information Officer: 

Enclosure: 

cc: Seth Oster, OEAEE: 
Robin Gonzalez, OIAA: 
Andrew Bonin, OIC: 
Vaughn Noga, OTOP: 

[End of letter] 

EPA's Response to GAO Recommendations: 

Environmental Protection Agency: Draft GAO Report (GAO-11-605):
Social Media: Federal Agencies Need Policies and Procedures for 
Managing and Protecting Information They Access and Disseminate. 

Lead Office: Office of Environmental Information. 

Participating Offices: Office of Information Analysis and Access, 
Office of Information Collection, and the Office of External Affairs 
and Environmental Education. 

GAO Recommendation: 

Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of social media 
services and identifies protections to address them. 

EPA Response: 

EPA agrees. The Agency's Office of External Affairs and Environmental
Education (OEAEE) is responsible for the planning, development and 
review of all Agency web products intended for the public and targeted 
audiences. OEAEE will conduct a privacy impact assessment (PIA) of 
EPA's use of social media services and identify protections to 
mitigate any risks identified. The PIA will be completed by June 30, 
2011. [See comment 1] 

GAO Recommendation: 

Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

EPA Response: 

EPA agrees. The Environmental Protection Agency (EPA) will assess 
risks associated with commercially provided social media services we 
use. Risks will be assessed by identifying associated threats and 
vulnerabilities and evaluating them against likelihood of occurrence 
and adverse impact. We will identify proper security controls that can 
be used to mitigate identified risks to an acceptable level. The risk 
assessment will be completed by June 1, 2012. [See comment 2] 

The following are GAO's comments to the Environmental Protection 
Agency's letter dated May 25, 2011. 

GAO Comments: 

1. After reviewing additional comments provided by agency 
representatives, we updated our report to indicate that the agency 
asserted that it is taking actions to develop a PIA for its social 
media use, although the PIA has not yet been finalized. We have not 
evaluated these actions. 

2. After reviewing additional comments provided by agency 
representatives, we updated our report to indicate that the agency 
asserted taking actions to develop a security risk assessment for 
social media use, although the assessment has not yet been finalized. 
We have not evaluated these actions. 

[End of section] 

Appendix XIV: Comments from the National Aeronautics and Space 
Administration: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

National Aeronautics and Space Administration: 
Headquarters: 
Washington, DC 20546-0001: 

May 31, 2011: 

Reply to Attn. of: Office of the Chief Information Officer: 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
United States Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

The National Aeronautics and Space Administration (NASA) appreciates 
the opportunity to review and comment on your draft report entitled, 
"Social Media: Federal Agencies Need Policies and Procedures for 
Managing and Protecting Information They Access and Disseminate" (GAO-
I I-605). In the draft report, GAO makes three recommendations to
ensure that appropriate privacy and security measures are in place 
when commercially provided social media services are used by NASA, 
specifically: 

Recommendation 1: The Administrator of the National Aeronautics and 
Space Administration update privacy policies to describe whether PII 
made available through use of social media services is collected and 
used. 

Management Response: NASA concurs with the GAO recommendation. The NASA
Chief Information Officer (CIO) has already disseminated guidance 
regarding privacy implications in the use of social media through a 
CIO memorandum on "Appropriate Use of Web Technologies," issued August 
12, 2010, through an Agency-wide user notification and through the 
NASA CIO Web site. In addition, NASA has been reviewing all agency 
privacy policies and will update these policies to address appropriate 
security measures, prohibitions, and controls required for the use of 
social media services. [See comment1] 

Recommendation 2: The Administrator of the National Aeronautics and 
Space Administration conduct and document a privacy impact assessment 
that evaluates potential privacy risks associated with agency use of 
social media services and identifies protections to address them. 

Management Response: NASA concurs with the GAO recommendation. NASA 
policy requires that Information and Privacy Threshold Analyses 
(IPTAs), and, if appropriate, full Privacy Impact Assessments (PTAs), 
be conducted on all known systems. However, the data generated or 
collected by the social media services within the scope of this GAO
engagement (Facebook, YouTube, Twitter) exist outside of the NASA 
enterprise architecture and administrative control. As previously 
reported to GAO on January 10, 2011, no personally identifiable 
information is collected from comments posted by the public on NASA's 
own Facebook, YouTube, and Twitter pages. Nevertheless, NASA is 
currently developing a PIA of these social media services in 
accordance with OMB Memorandum 10-23, which requires an adapted PIA 
whenever an Agency's use of a third-party Web site or application 
makes PII available to the Agency. Using all information available to 
NASA, this PIA will evaluate potential privacy risks and identify 
every possible protection to address these risks. [See comment 2] 

Recommendation 3: The Administrator of the National Aeronautics and 
Space Administration conduct and document a security risk assessment 
to assess security threats associated with agency use of commercially 
provided social media services and identify security controls that can 
be used to mitigate the identified threats. 

Management Response: NASA concurs with the GAO recommendation. NASA is 
conducting and documenting a security risk assessment to assess 
security threats associated with Agency use of commercially provided 
social media services, which will identify or verify common security 
controls. In addition, NASA periodically reviews the security posture 
of commercial social media products for new vulnerabilities and 
updates its infrastructure or procedures accordingly. NASA has also 
added social media risks to the Agency's risk profile and updated 
information security training to educate its community on the risks 
associated with commercial social media services. [See comment 3] 

If you have any questions or require additional information, please 
contact the NASA Deputy CIO for IT Security, Valarie Burks at (202) 
358-3716. 

Sincerely, 

Signed by: 

Linda Cureton: 
Chief Information Officer: 

The following are GAO's comments to the National Aeronautics and Space 
Administration's letter dated May 31, 2011. 

GAO Comments: 

1. After reviewing additional efforts stated by the agency, we updated 
our report to indicate that the agency has plans to develop privacy 
policies addressing the agency's use of PII made available through 
social media services. 

2. After reviewing additional comments provided by agency 
representatives, we updated our report to indicate that the agency 
asserted that it is taking actions to develop a PIA for its social 
media use, although the PIA has not yet been finalized. We have not 
evaluated these actions. 

3. After reviewing additional comments provided by agency 
representatives, we updated our report to indicate that the agency 
asserted that it is taking actions to develop a security risk 
assessment for social media use, although the assessment has not yet 
been finalized. We have not evaluated these actions. 

[End of section] 

Appendix XV: Comments from the Office of Personnel Management: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

United States Office Of Personnel Management: 
Chief Information Officer: 
Washington, DC 20415: 

May 24, 2011: 

Mr. Gregory C. Wilshusen, Director: 
Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

We recognize that even the most well run programs can benefit from an 
external evaluation and we appreciate the input of the Government 
Accountability Office as we continue to enhance our social media 
program. We have reviewed your draft audit report (GAO-11-605) titled 
Social Media: Federal Agencies Need Policies and Procedures for 
Managing and Protecting Information and are in concurrence with the 
two recommendations for Office of Personnel Management (OPM) 
identified in the report. Specific responses to your recommendations 
are provided below. 

Response to Recommendations: 

Recommendation: To ensure that appropriate privacy and security 
measures are in place when commercially provided social media services 
are used, we recommend that the Director of the OPM take the following 
two actions: 

* Conduct and document a privacy impact assessment that evaluates 
potential privacy risks associated with agency use of social media 
services and identifies protections to address them. 

* Conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

Management Response: Concur. OPM shall conduct a privacy impact 
assessment and a security risk assessment as stated in the 
recommendation. We will complete these assessments no later than 
September 30, 2011. [See comment 1] 

Sincerely, 

Signed by: 

Matthew E. Perry: 
Chief Information Officer: 

See comment 1. 

The following are GAO's comments to the Office of Personnel 
Management's letter dated May 24, 2011. 

GAO Comments: 

1. After reviewing additional comments and materials provided by 
agency representatives, we updated our report to indicate that the 
agency asserted that it is taking actions to develop both a PIA and a 
security risk assessment for its social media use. We have not 
evaluated these actions. 

[End of section] 

Appendix XVI: Comments from the Social Security Administration: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

Social Security: 
The Commissioner: 
Social Security Administration: 
Baltimore, MD 21235-0001: 

May 26, 2011: 

Mr. Gregory Wilshusen: 
Director, Information Security Issues: 
United States Government Accountability Office: 
441 G. Street, NW: 
Washington, D.C. 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to review your draft report, "Social 
Media: Federal Agencies Need Policies and Procedures for Managing and 
Protecting Information They Access and Disseminate." We have enclosed 
our response to your report. 

If you have any questions, please contact me or have your staff 
contact Chris Molander, Senior Advisor, Audit Management and Liaison 
Staff; at (410) 965-7401. 

Sincerely. 

Signed by: 

Dean S. Landis: 
Deputy Chief of Staff: 

Enclosure: 

[End of letter] 

Social Security Administration Comments On The Government 
Accountability Office Draft Report, "Social Media: Federal Agencies 
Need Policies And Procedures For Managing And Protecting Information 
They Access And Disseminate" (GAO-11-605): 

We offer the following comment. 

Recommendation: 

To ensure that appropriate privacy measures are in place when 
commercially provided social media services are used, we recommend 
that the Commissioner of the Social Security Administration take the 
following action. 

* Update privacy policies to describe whether PII made available 
through use of social media services is collected and used. 

Response: 

We do not use or collect PII made available through social media 
services. However, we will update our privacy policy to reflect that 
fact and post the update to our agency website. [See comment 1] 

The following are GAO's comments to the U.S. Agency for International 
Development's letter received on May 27, 2011. 

The following are GAO's comments to the Social Security 
Administration's letter dated May 26, 2011. 

GAO Comments: 

1. After reviewing additional comments stated by the agency, we 
updated our report to indicate that the agency has plans to develop 
privacy policies addressing the agency's use of PII made available 
through social media services. 

[End of section] 

Appendix XVII: Comments from the U.S. Agency for International 
Development: 

Note: GAO's comments supplementing those in the report's text appear 
at the end of this appendix. 

USAID: 
From The American People: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Wilshusen, 

I am pleased to provide the U.S. Agency for International Development's
formal response to the GAO draft report entitled "Social Media: Federal
Agencies Need Policies and Procedures for Managing and Protecting 
Information They Access and Disseminate" (GA0-11-605). 

The enclosed USAID comments are provided for incorporation with this 
letter as an appendix to the final report. 

Thank you for the opportunity to respond to the GAO draft report and 
for the courtesies extended by your staff in the conduct of this audit 
review. 

Sincerely, 

Signed by: 

Sean Carroll: 
Chief Operating Officer: 
U.S. Agency for International Development: 

Enclosure: a/s. 

[End of letter] 

USAID Comments On GAO Draft Report No. GAO-11-605: 

Recommendation 1: To ensure that appropriate records management and 
security measures are in place when commercially provided social media 
services are used, we recommend that the Administrator of the U.S. 
Agency for International Development (USAID) take the following 
action: Add records management guidance to agency social media 
policies that describes records management processes and policies and 
recordkeeping roles and responsibilities. 

Response: USAID concurs with recommendation 1. USAID recognizes the 
importance of adding sound records management guidance to the agency's 
social media policies. The Information and Records Division in the 
Bureau for Management's Office of Management Services is currently 
reviewing the various social media activities in which the agency is 
involved, and will establish records management guidance that will 
effectively apply lifecycle management and appropriate records 
disposition authority to the electronic record content published by 
USAID on social media sites. Target Completion Date: December 31, 
2011. [See comment 1] 

Recommendation 2: To ensure that appropriate records management and 
security measures are in place when commercially provided social media 
services are used, we recommend that the Administrator of the U.S. 
Agency for International Development take the following action, 
conduct and document a security risk assessment to assess security 
threats associated with agency use of commercially provided social 
media services and identify security controls that can be used to 
mitigate the identified threats. 

Response: The Chief Information Security Officer (CISO) concurs with 
recommendation 2. CISO will conduct a full risk assessment, identify 
security controls or compensating controls and/or create a plan of 
action and milestones where necessary. Target Completion Date: June 3, 
2011. [See comment 2] 

GAO Comments: 

1. After reviewing additional comments provided by agency 
representatives, we updated our report to indicate that the agency 
asserted that it is taking actions to develop records management 
guidance for social media use. We have not evaluated these actions. 

2. After reviewing additional comments provided by agency 
representatives, we updated our report to indicate that the agency 
asserted that it is taking actions to develop a security risk 
assessment for social media use, although the assessment has not yet 
been finalized. We have not evaluated these actions. 

[End of section] 

Appendix XVIII: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the contact above, John de Ferrari, Assistant Director; 
Sher'rie Bacon; Marisol Cruz; Jennifer Franks; Fatima Jahan; Nicole 
Jarvis; Nick Marinos; Lee McCracken; Thomas Murphy; Constantine 
Papanastasiou; David Plocher; Dana Pon; Matthew Strain; and Jeffrey 
Woodward made key contributions to this report. 

[End of section] 

Footnotes: 

[1] The White House, Memorandum for the Heads of Executive Departments 
and Agencies: Transparency and Open Government (Washington, D.C.: Jan. 
21, 2009). 

[2] For purposes of this report, the terms personal information and 
personally identifiable information are used interchangeably to refer 
to any information about an individual maintained by an agency, 
including (1) any information that can be used to distinguish or trace 
an individual's identity, such as name, Social Security number, date 
and place of birth, mother's maiden name, or biometric records, and 
(2) any other information that is linked or linkable to an individual, 
such as medical, educational, financial, and employment information. 

[3] The 24 major departments and agencies are the Departments of 
Agriculture, Commerce, Defense, Education, Energy, Health and Human 
Services, Homeland Security, Housing and Urban Development, the 
Interior, Justice, Labor, State, Transportation, the Treasury, and 
Veterans Affairs; the Environmental Protection Agency, General 
Services Administration, National Aeronautics and Space 
Administration, National Science Foundation, Nuclear Regulatory 
Commission, Office of Personnel Management, Small Business 
Administration, Social Security Administration, and U.S. Agency for 
International Development. 

[4] We selected Facebook, Twitter, and YouTube because of their 
widespread use within the federal government as well as their broad 
popularity with the public. 

[5] Because the Nuclear Regulatory Commission (NRC) did not use 
Facebook, Twitter, or YouTube at the time of our review, we did not 
include it as part of our evaluation. 

[6] Chartered by Congress in 1967 as an independent, non-partisan 
organization, the National Academy is a non-profit, independent 
coalition of public management and organizational leaders that 
provides insights on key public management issues and advisory 
services to government agencies. 

[7] The Nielsen Company is a global information and measurement 
company in marketing and consumer information, television and other 
media measurement, online intelligence, mobile measurement, trade 
shows, and related assets. The company has a presence in approximately 
100 countries, with headquarters in New York. 

[8] An administrator of a YouTube page can elect to remove the ability 
for users to leave comments. 

[9] The Nuclear Regulatory Commission (NRC) does not use Facebook, 
YouTube, or Twitter. 

[10] National Archives and Records Administration, Bulletin 2011-02: 
Guidance on Managing Records in Web 2.0/Social Media Platforms 
(College Park, Md.: Oct. 20, 2010). 

[11] Office of Management and Budget, Memorandum M-10-23: Guidance for 
Agency Use of Third-Party Websites and Applications (Washington, D.C.: 
June 25, 2010). 

[12] NIST, Recommended Security Controls for Federal Information 
Systems and Organizations, Special Publication 800-53, Revision 3 
(Gaithersburg, Md.: August 2009). 

[13] GAO, Information Management: Challenges in Federal Agencies' Use 
of Web 2.0 Technologies, [hyperlink, 
http://www.gao.gov/products/GAO-10-827T] (Washington, D.C.: July 22, 
2010). 

[14] Director of National Intelligence, Statement for the Record on 
the Worldwide Threat Assessment of the U.S. Intelligence Community, 
statement before the Senate Select Committee on Intelligence (Feb. 16, 
2011). 

[15] Federal Trade Commission, FTC Accepts Final Settlement with 
Twitter for Failure to Safeguard Personal Information (press release, 
Mar. 11, 2011), [hyperlink, 
http://www.ftc.gov/opa/2011/03/twitter.shtm]. 

[16] We reviewed agency use of these services from July 2010 through 
January 2011. Because the Nuclear Regulatory Commission (NRC) did not 
use any of the three social media services, we did not include it in 
our evaluation. 

[17] Twitter differs from the other two social media services in that 
comments received to a Twitter account are not visible on the 
account's Twitter page. A tweet in reply to a comment received is 
indicated by including the "@" symbol and the user name of the 
original commenter. 

[18] [hyperlink, http://www.gao.gov/products/GAO-10-872T]. 

[19] The 12 agencies with records management guidance are the 
Departments of Commerce, Defense, Energy, Health and Human Services, 
Housing and Urban Development, the Interior, Justice, Labor, State, 
and Transportation; the Environmental Protection Agency; and the 
General Services Administration. 

[20] During the course of our review, 8 agencies reported taking 
actions to develop records management guidance that were not yet 
complete: the Departments of Agriculture, Education, Homeland 
Security, and the Treasury; National Aeronautics and Space 
Administration; Office of Personnel Management; Small Business 
Administration, and Social Security Administration. Two additional 
agencies that had not previously provided information about actions to 
develop records management guidance did so in comments on a draft of 
this report. Those agencies included the Department of Veterans 
Affairs and the U.S. Agency for International Development. 

[21] National Archives and Records Administration: A Report of Federal 
Web 2.0 Use and Record Value (Sept. 1, 2010). 

[22] [hyperlink, http://www.gao.gov/products/GAO-10-872T]. 

[23] [hyperlink, http://www.gao.gov/products/GAO-10-872T]. 

[24] "Making PII available" includes any agency action that causes PII 
to become available or accessible to the agency, whether or not the 
agency solicits or collects it. 

[25] The 12 agencies with updated privacy policies were the 
Departments of Agriculture, Defense, Energy, Homeland Security, 
Housing and Urban Development, the Interior, Justice, State, and the 
Treasury; the Environmental Protection Agency; the National Science 
Foundation; and the Office of Personnel Management. 

[26] During the course of our review, three agencies reported taking 
actions to initiate updates to their privacy policies although the 
policies had not yet been changed. These included the Department of 
Veterans Affairs, Small Business Administration, and U.S. Agency for 
International Development. Two additional agencies that had not 
previously provided information about actions to update their privacy 
policies did so in comments on a draft of this report. Those agencies 
included the Department of Education and General Services 
Administration. 

[27] Eight agencies completed PIAs that apply to the use of Facebook, 
Twitter, and YouTube: the Departments of Energy, Homeland Security, 
Housing and Urban Development, the Interior, Justice, Labor, and 
Transportation; and the National Science Foundation. 

[28] During the course of our review, five agencies reported taking 
actions to conduct and document PIAs that were not yet complete: the 
Departments of Commerce, Education, Health and Human Services; Social 
Security Administration; and U.S. Agency for International 
Development. Five additional agencies that had not previously provided 
information about actions to conduct and document PIAs did so in 
comments on a draft of this report. Those agencies included the 
Departments of Defense and Veterans Affairs; Environmental Protection 
Agency; National Aeronautics and Space Administration; and Office of 
Personnel Management. 

[29] NIST, Guide for Applying the Risk Management Framework to Federal 
Information Systems, Special Publication 800-37, Revision 1 
(Gaithersburg, Md.: February 2010). 

[30] NIST Special Publication 800-53, Revision 3. 

[31] Seven agencies completed security risk assessments for Facebook, 
Twitter, and YouTube: the Departments of Agriculture, Defense, Health 
and Human Services, the Interior, Labor, and Veterans Affairs; and the 
General Services Administration. 

[32] During the course of our review, 6 agencies reported taking 
actions to conduct and document security risk assessments that were 
not yet complete: the Departments of Education, Justice, and the 
Treasury; Environmental Protection Agency; Small Business 
Administration; and Social Security Administration. Six additional 
agencies that had not previously provided information about actions to 
conduct and document assessments did so in comments on a draft of this 
report. Those agencies included the Departments of Energy, Homeland 
Security, and Housing and Urban Development; the National Aeronautical 
and Space Administration; the Office of Personnel Management; and the 
U.S. Agency for International Development. 

[33] The agencies that included information on actions taken to 
address requirements within comments on a draft of this report were 
the Departments of Agriculture, Defense, Education, Energy, Homeland 
Security, Housing and Urban Development, State, the Treasury, and 
Veterans Affairs; the Environmental Protection Agency; the General 
Services Administration; the National Aeronautics and Space 
Administration; the Office of Personnel Management; the Small Business 
Administration; and the U.S. Agency for International Development. 

[34] The 24 major departments and agencies are the Departments of 
Agriculture, Commerce, Defense, Education, Energy, Health and Human 
Services, Homeland Security, Housing and Urban Development, the 
Interior, Justice, Labor, State, Transportation, the Treasury, and 
Veterans Affairs; the Environmental Protection Agency, General 
Services Administration, National Aeronautics and Space 
Administration, National Science Foundation, Nuclear Regulatory 
Commission, Office of Personnel Management, Small Business 
Administration, Social Security Administration, and U.S. Agency for 
International Development. 

[35] At the time of our review, the Nuclear Regulatory Commission 
(NRC) did not use Facebook, Twitter, or YouTube. Additionally, the 
Department of Health and Human Services did not maintain a Facebook 
page to represent its headquarters, although various components of HHS 
maintained their own Facebook pages. 

[36] Because NRC did not use Facebook, Twitter, or YouTube at the time 
of our review, we did not include it in our evaluation of social media 
policies and procedures. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: