Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate
Highlights
Federal agencies increasingly use recently developed Internet technologies that allow individuals or groups to create, organize, comment on, and share online content. The use of these social media services-- including popular Web sites like Facebook, Twitter, and YouTube-- has been endorsed by President Obama and provides opportunities for agencies to more readily share information with and solicit feedback from the public. However, these services may also pose risks to the adequate protection of both personal and government information. GAO was asked to (1) describe how federal agencies are currently using commercially provided social media services and (2) determine the extent to which agencies have developed and implemented policies and procedures for managing and protecting information associated with this use. To do this, GAO examined the headquarters-level Facebook pages, Twitter accounts, and YouTube channels of 24 major federal agencies; reviewed pertinent policies, procedures, and guidance; and interviewed officials involved in agency use of social media..
Federal agencies have been adapting commercially provided social media technologies to support their missions. Specifically, GAO identified several distinct ways that 23 of 24 major agencies are using Facebook, Twitter, and YouTube. These include reposting information available on official agency Web sites, posting information not otherwise available on agency Web sites, soliciting comments from the public, responding to comments on posted content, and providing links to non-government sites. For example, agencies used Facebook to post pictures or descriptions of the activities of agency officials and to interact with the public. Agencies used Twitter to provide information in an abbreviated format and to direct the public back to official agency sites. YouTube was used to provide alternate means of accessing videos available on official agency sites, share videos of agency officials discussing topics of interest, or to solicit feedback from the public. The use of these services can pose challenges in managing and identifying records, protecting personal information, and ensuring the security of federal information and systems. However, the 23 major agencies that GAO identified as using social media have made mixed progress in developing and implementing policies and procedures to address these challenges: (1) Records management: 12 of the 23 agencies have developed and issued guidance that outlines processes and policies for identifying and managing records generated by their use of social media and record-keeping roles and responsibilities. (2) Privacy: 12 agencies have updated their privacy policies to describe whether they use personal information made available through social media, and 8 conducted and documented privacy impact assessments to identify potential privacy risks that may exist in using social media given the likelihood that personal information will be made available to the agency by the public. (3) Security: 7 agencies identified and documented security risks (such as the potential for an attacker to use social media to collect information and launch attacks against federal information systems) and mitigating controls associated with their use of social media. In several cases, agencies reported having policies in development to address these issues. In other cases, agencies reported that there was no need to have policies or procedures that specifically address the use of social media, since these are addressed in existing policies. However, social media technologies present unique challenges and risks, and without establishing guidance and assessing risks specific to social media, agencies cannot be assured that they are adequately meeting their responsibilities to manage and preserve federal records, protect the privacy of personal information, and secure federal systems and information against threats. GAO recommends that agencies ensure that appropriate records management, privacy, and security measures are in place. Most of the agencies agreed with GAO's recommendations. Three agencies did not agree with recommendations made to them; GAO maintains that the actions are necessary.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
National Archives and Records Administration | To ensure that federal agencies have adequate guidance to determine the appropriate method for preserving federal records generated by content presented on agency social media sites, the Archivist of the United States should develop guidance on effectively capturing records from social media sites and that this guidance incorporate best practices. |
We verified in August 2015 that the National Archives and Records Administration issued a bulletin in 2014 with guidance on record keeping requirements and best practices for capturing records created when Federal agencies use social media. In addition, NARA issued a white paper in 2013 that documented best practices for the capture of Social Media records for government agencies.
|
Department of Agriculture | To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Agriculture should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them. |
In October 2011, we verified that the Department of Agriculture had developed privacy impact assessments for its uses of Social Media technologies, such as Facebook, Twitter, and YouTube. These PIAs, located on the agency's website, identifies privacy risks associated with the department's use of social media tools and their mitigating strategies for addressing those risks.
|
Department of Commerce | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Commerce should update privacy policies to describe whether personally identifiable information (PII) made available through use of social media services is collected and used. |
The Department did not provide any evidence that it updated its privacy policies to describe whether personally identifiable information (PII) made available through the use of social media is collected and used.
|
Department of Commerce | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Commerce should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats. |
The Department did not provide any evidence that it conducted and documented a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
|
Department of Defense | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Defense should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them. |
In September 2011, we verified that the Department of Defense had updated its Privacy Impact Assessments (PIAs) for its use of Social Media technologies. These PIAs identified the privacy risks associated with the department's use of social media tools and their mitigation strategies for addressing those risks.
|
Department of Education | To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Education should update privacy policies to describe whether PII made available through use of social media services is collected and used. |
In September 2011, we verified that the Department of Education had updated its privacy policy to describe how the agency handles personally identifiable information. The privacy policy, located on Education's website, describes that the department does not collect or in any way use personally identifiable information.
|
Department of Energy | To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Energy should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats. |
In September 2015, we verified that DOE, in response to our recommendation, has conducted and documented a security risk assessment associated with its use of social media technologies. This assessment provided information pertaining to, among other things, DOE's identification of potential threats associated with social media tools and controls to mitigate risks associated with those threats.
|
Department of Health and Human Services | To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Health and Human Services should update privacy policies to describe whether PII made available through use of social media services is collected and used. |
In March 2012, we verified that the Department of Health and Human Services (HHS) had updated its agency privacy policy to include a discussion of the department's collection of PII made available through its use of social media services. Specifically, the policy states that HHS sometimes collects and uses PII made available through third-party websites, but does not share PII made available through third-party websites.
|
Department of Homeland Security | To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Homeland Security should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats. |
We verified that DHS, in response to our recommendation, has conducted and documented a security risk assessment associated with its use of social media technologies. This assessment provided information pertaining to, among other things, DHS's evaluation of its use of resources and controls to identify and mitigate vulnerabilities that pose internal and external threats to the agency. According to DHS's Social Media Risk Assessment Report, evaluations of social media risks were conducted in accordance with risk management guidelines specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30.
|
Department of Housing and Urban Development | To ensure that appropriate security measures are in place when commercially provided social media services are used, the Secretary of Housing and Urban Development should conduct and document a security risk assessment to assess security threats associated with agency use of Twitter and YouTube and identify security controls that can be used to mitigate the identified threats. |
In August 2011, we verified that the Department of Housing and Urban Development (HUD) had conducted security risk assessments on the agency's use of Social Media Technologies, such as Twitter and YouTube. This security assessment identified, among other things, security risks that social media poses to HUD information systems and the mitigating controls HUD has in place to address those identified risks.
|
Department of Labor | To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of Labor should update privacy policies to describe whether PII made available through use of social media services is collected and used. |
In September 2011, we verified that the Department of Labor had updated its privacy policy on its Web site to include discussion of its use of PII made available through social media. Specifically, this policy states that PII cannot be requested from or collected by the department on its social media sites.
|
Department of State | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of State should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of Twitter and YouTube and identifies protections to address them. |
The Department did not provide any evidence that it conducted and documented a privacy impact assessment that evaluated potential privacy risks associated with agency use of Twitter and YouTube and identified protections to address them.
|
Department of State | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of State should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats. |
The Department did not provide any evidence that it conducted and documented a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats.
|
Department of Transportation | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Transportation should update privacy policies to describe whether PII made available through use of social media services is collected and used. |
In March 2015, we verified that the Department of Transportation had updated its privacy policy to direct users to read their privacy impact assessments that discuss how the Department uses PII collected via third-party websites. The Third-Party privacy impact assessment clearly identifies that the Department does not use or collect personally identifiable information and describes the steps it takes to redact information recorded from third-party sites as a course of record keeping.
|
Department of Transportation | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Secretary of Transportation should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats. |
In September 2015, agency officials provided a departmental policy on managing privacy risk in response to this recommendation; however, officials did not provide evidence that the department had conducted an assessment of security threats associated with agency use of commercially provided social media services or had identified security controls that can be used to mitigate the identified threats.
|
Department of the Treasury | To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Secretary of the Treasury should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them. |
In February 2016, we verified that the Department of the Treasury had created a privacy impact assessment for its use of Social Media technologies. The PIA identified the privacy risks associated with the department's use of social media tools and their mitigation strategies for addressing those risks.
|
Department of Veterans Affairs | To ensure that appropriate records management and privacy measures are in place when commercially provided social media services are used, the Secretary of Veterans Affairs should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities. |
In September 2011, we verified that the Department of Veteran Affairs had updated its social media policy to include guidance on the agency's records management process. This policy describes the department's records management processes and policies, including the roles and responsibilities of record keeping.
|
Department of Veterans Affairs | To ensure that appropriate records management and privacy measures are in place when commercially provided social media services are used, the Secretary of Veterans Affairs should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them. |
In September 2011, we verified that the Department of Veterans Affairs had conducted a privacy impact assessment for their use of social media technologies. This PIA identified potential privacy risks associated with the agency's use of third-party websites and applications and mitigation strategies to address those risks.
|
Environmental Protection Agency | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the Environmental Protection Agency should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them. |
In August 2011, we verified that the Environmental Protection Agency had conducted and documented a privacy impact assessment (PIA)for the agency's use of social media services. The PIA identifies potential privacy risks associated with the agency's use of social media services and protections to address them.
|
Environmental Protection Agency | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the Environmental Protection Agency should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats. |
In June 2012, we verified that the Environmental Protection Agency had conducted a security risk assessmen associated with its use of social media sites. This assessment provides, among other things, information on the agency's use of social media services as well as identifies potential security risks associated with these sites and mitigation controls to address those risks.
|
General Services Administration | To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the General Services Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used. |
In August 2015, we verified that the General Services Administration had updated its privacy policy to describe how the agency handles personally identifiable information. The privacy policy, located on the Administration's website, describes that the department does not seek or ask for personally identifiable information, and then provides a link to a social media privacy impact assessment.
|
General Services Administration | To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the General Services Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them. |
In August 2011, we verified that the General Services Administration had conducted privacy impact assesments for its use of Social Media Technologies. These PIAs state that the use of social media venues is currently used for one-way marketing and that GSA does not collect nor soilcit personally identifiable information through these venues.
|
National Aeronautics and Space Administration | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used. |
In August 2015, we verified that the National Aeronautics and Space Administration (NASA) had updated its privacy notice for third-party social media websites and applications to describe how the agency handles personally identifiable information. In addition to the privacy notice, the privacy policy located on NASA's website, describes the types of information the administration collect as well as information collected by third parties. According to the site, information provided on NASA's website is to be used, collected, and share only for its intended purpose and data will protected in accordance with privacy principles such as the Privacy Act.
|
National Aeronautics and Space Administration | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them. |
In August 2014, we verified that the National Aeronautics and Space Adminsitration (NASA) had developed a Privacy Impact Assessment (PIA) for its use of Social Media technologies, including authorized social media websites and applications owned by NASA and/or third parties on behalf of the agency. This PIA identifies the type of information that could be collected through its social media websites and the agencies information sharing practices regarding content collected or shared on these sites by users.
|
National Aeronautics and Space Administration | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Administrator of the National Aeronautics and Space Administration should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats. |
In August 2015, we verified that the National Aeronautics and Space Administration (NASA) has developed a social media review process for requests of third party social media websites or services that share FIPS-199 "low categorization" content to ensure compliance with Federal and departmental requirements. NASA's social media review process also includes privacy and security assessments of social media tools as a risk-based approach prior to employing social media services.
|
National Science Foundation | To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Director of the National Science Foundation should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities. |
In January 2016, we verified that the National Science Foundation issued a bulletin in December 2015 with guidance for employees on record keeping requirements when creating social media on behalf of the agency.
|
National Science Foundation | To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Director of the National Science Foundation should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats. |
In January 2016, we verified that the National Science Foundation produced a social media security risk assessment that identified the risks associated with the department's use of social media tools and their mitigation strategies for addressing those risks.
|
Office of Personnel Management | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Director of the Office of Personnel Management should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them. |
In January 2012, we verified that the Office of Personnel Management had conducted privacy impact assessments (PIAs) for its use of social media services. These PIAs identify, among other things, potential privacy risks associated with the agency's use of social media services and mitigation strategies to address those risks.
|
Office of Personnel Management | To ensure that appropriate privacy and security measures are in place when commercially provided social media services are used, the Director of the Office of Personnel Management should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats. |
In February 2012, we verified that the Office of Personnel Management had conducted a security risk assessment in association with its use of social media technologies. This assessment evaluated, among other things, privacy threats and vulnerabilities associated with their use of social media services, including a likelihood-impact risk determination analysis of potential threats and recommended controls to mitigate those risks.
|
Small Business Administration | To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Administrator of the Small Business Administration should conduct and document a privacy impact assessment that evaluates potential privacy risks associated with agency use of social media services and identifies protections to address them. |
In August 2015, we verified that the Small Business Administration had conducted a Privacy Impact Assessment (PIA) for its use of Social Media technologies. The PIA identified the privacy risks associated with the department's use of social media tools and their mitigation strategies for addressing those risks.
|
Social Security Administration | To ensure that appropriate privacy measures are in place when commercially provided social media services are used, the Commissioner of the Social Security Administration should update privacy policies to describe whether PII made available through use of social media services is collected and used. |
In February 2015, we verified that the Social Security Administration (SSA) has updated its internet privacy policy to include information on the agency's use of social media sites. Specifically, the policy states that while SSA moderates comments or opinions made on third party social media sites, it does not collect, maintain, or disseminate any personally identifiable information made available to SSA by those sites or users of those sites.
|
U.S. Agency for International Development | To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Administrator of the U.S. Agency for International Development should add records management guidance to agency social media policies that describes records management processes and policies and recordkeeping roles and responsibilities. |
In September 2015, we verified that the United States Agency for International Development had updated its records management program to include guidance on the agency's records management process for social media. This policy describes the department's records management processes and policies, including the roles and responsibilities of record keeping.
|
U.S. Agency for International Development | To ensure that appropriate records management and security measures are in place when commercially provided social media services are used, the Administrator of the U.S. Agency for International Development should conduct and document a security risk assessment to assess security threats associated with agency use of commercially provided social media services and identify security controls that can be used to mitigate the identified threats. |
In March 2012, we verified that USAID conducted a security risk assessment on the agency's use of social media services. This assessment evaluated security threats associated with the agency's use of social media services as well as identified security controls that can be used to mitigate these risks.
|