Federal Privacy Laws, Guidance, and Regulations related to the U.S. Forest Service
Applicable Federal laws and regulations, include, but are not limited to:




Privacy Act of 1974
E-Government Act of 2002
Paperwork Reduction Act of 1995
Clinger-Cohen Act of 1996
U.S. Forest Service Directives, include, but are not limited to:






FSH 6209.13 – FREEDOM OF INFORMATION ACT/PRIVACY ACT HANDBOOK
FSH 6209.11 – RECORDS MANAGEMENT HANDBOOK
FSH 6309.32 – FEDERAL ACQUISITION REGULATION – Part 4G24 – Protection of
Privacy and Freedom of Information
TITLE 6100 – PERSONNEL MANAGEMENT
FSH 6109.11 – PAY ADMINISTRATION, ATTENDANCE AND LEAVE
HANDBOOK
CHAPTER 6680 – SECURITY OF INFORMATION, INFORMATION SYSTEMS,
AND INFORMATION TECHNOLOGY
U.S. Department of Agriculture Directives, include, but are not limited to:












DM3515-000 – Privacy Requirements
DR3515-001 – Use of Web Measurement and Customization Technologies
DM 3515-002 – Privacy Impact Assessment
DM3500-000 – USDA Cyber Security Manual Series 3500
DM3505-000 – USDA Computer Incident Response Procedures
DM3505-001 – USDA Cyber Security Incident Handling Procedures
DR3410-001 – Information Collection Activities – Collection of Information from the
Public
DR3440-002 – Control and Protection of “Sensitive Security Information”
DR3441-001 – USDA Sensitive Compartmented Information Security Program
DR3450-001 – Computer Matching Projects
DR3450-002 – FOIA Implementing Regulations
DM3555-000 – Certification and Accreditation of Information Systems
Office of Management and Budget (OMB) requirements, include, but are not limited to:



OMB Circular A-130, Appendix I
FISMA Reporting Instructions for Agency Privacy Management
OMB Memo M-05-08, Designation of Senior Agency Officials for Privacy (SAOP)
1


OMB Memo M-07-16, Safeguarding Against and Responding to Breach of Personally
Identifiable Information
OMB Instructions for Complying with the President’s Memorandum of May 14, 1998,
“Privacy and Personal Information in Federal Records”
What other privacy laws, directives and guidance exist?
Each organization will have its own legally and policy-based compliance requirements. The
following is a comprehensive but not complete list of requirements sources that generally
apply to all federal organizations. Their applicability is dependent upon the organization’s
mission and mandates.
Federal Requirements






















Administrative Procedure Act (5 U.S.C. §§ 551, 554-558)
Bank Secrecy Act (31 U.S.C. §§ 5311-5330, 31 C.F.R. § 103)
Census Confidentiality Statute (13 U.S.C. § 9)
Children’s Online Privacy Protection Act of 1998 (15 U.S.C. §§ 6501 et seq., 16 C.F.R. §
312)
Communications Assistance for Law Enforcement (47 U.S.C. § 1001)
Computer Security Act (40 U.S.C. § 1441)
Confidential Information Protection and Statistical Efficiency Act of 1002 (Pub. L. No.
107-347, Title V, Dec. 17, 2002, 116 Stat. 2962)
Criminal Justice Information Systems (42 U.S.C. § 3789g)
Drug and Alcoholism Abuse Confidentiality Statutes (21 U.S.C. § 1175; 42 U.S.C. §
290dd-3)
Employee Polygraph Protection Act (29 U.S.C. § 2001, et seq.)
E-Government Act of 2002 (Pub. L. No. 107-347, 116 Stat. 2899)
Family Educational Rights and Privacy Act (-FERPA ||, 20 U.S.C. § 1232g; 34 C.F.R. §
99)
Federal Agency Data Mining Reporting Act of 2007 (42 U.S.C. § 2000ee-3)
Federal Records Act of 1950 (44 U.S.C. Ch 31)
Federal Information Security Management Act of 2002 (-FISMA ||, 44 U.S.C. § 3541, et
seq.)
Freedom of Information Act (-FOIA ||, 5 U.S.C. § 552)
Gramm-Leach-Bliley Act (-GLBA ||, Pub. L. No. 106-102, 113 Stat. 1338)
Health Insurance Portability and Accountability Act of 1996 (-HIPAA ||, Pub. L. No.
104-191)
Health Information Technology for Economic and Clinical Health Act (-HITECH Act ||,
42 U.S.C. §§ 300jj et seq.; 17901 et seq.)
Homeland Security Presidential Directive-12 (HSPD-12): Policies for Common
Identification Standard for Federal Employees and Contractors Best Practices:
Elements of a Federal Privacy Program June 2010 Aiii
Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007
(42 U.S.C. § 2000ee-1)
Intelligence Reform and Terrorism Prevention Act (Pub. L No. 108-458)
2






Paperwork Reduction Act of 1980 (44 U.S.C. § 3501, et seq.)
Privacy Act of 1974, as amended (5 U.S.C. § 552a)
Right to Financial Privacy Act (12 U.S.C. § 3401 et seq.)
Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745)
Tax Reform Act (26 U.S.C. §§ 6103, 6108, 7609)
Section 522 of the Transportation, Treasury, and Independent Agencies, and General
Government Appropriations Act of 2005 (Pub. L. No. 108-447, div. H, Dec. 8, 2004, 118
Stat. 2809)
Office of Management and Budget (OMB) Guidance


















Privacy Act Implementation (July 9, 1975)
Privacy Act Responsibilities for Implementing the Personal Responsibility and Work
Opportunity Reconciliation Act of 1996 (November 3, 1997)
M-99-05, Instructions on Complying with President’s Memorandum of May 14, 1998,
“Privacy and Personal Information in Federal Records” (January 7, 1999)
Biennial Privacy Act and Computer Matching Reports (June 1998)
M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999)
OMB Circular A-130, Appendix I, Federal Agency Responsibilities for Maintaining
Records About Individuals (2000)
Status of Biennial Reporting Requirements under the Privacy Act and the Computer
Matching and Privacy Protection Act (June 21, 2000)
M-00-13, Privacy Policies and Data Collection on Federal Web Sites (June 22, 2000)
(Rescinded by OMB M-10-22, Guidance for Online Use of Web Measurement and
Customization Technologies (June 25, 2010))
Letter from Roger Baker to John Spotila on Federal agency use of Web cookies (July 28,
2000)
Letter from John Spotila to Roger Baker, clarification of OMB Cookies Policy
(September 5, 2000)
M-01-05, Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal
Privacy (December 20, 2000)
M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government
Act of 2002 (September 30, 2003)
M-05-04, Policies for Federal Agency Public Websites (December 17, 2004) Best
Practices: Elements of a Federal Privacy Program June 2010 Aiv
M-05-08, Designation of Senior Agency Officials for Privacy (February 11, 2005)
M-05-15, FY 2005 Reporting Instructions for the Federal Information Security
Management Act and Agency Privacy Management (June 13, 2005)
M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 –
Policy for a Common Identification Standard for Federal Employees and Contractors
(August 5, 2005).
M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006)
M-06-16, Protection of Sensitive Agency Information (June 23, 2006)
3












M-06-19, Reporting Incidents Involving Personally Identifiable Information and
Incorporating the Cost for Security in Agency Information Technology Investments (July
12, 2006)
M-06-20, FY 2006 Reporting Instructions for the Federal Information Security
Management Act and Agency Privacy Management (July 17, 2006)
Recommendations for Identity Theft Related Data Breach Notification (September 20,
2006)
M-07-16, Safeguarding Against & Responding to Breach of Personally Identifiable
Information (May 22, 2007)
M-07-19, FY 2007 Reporting Instructions for the Federal Information Security
Management Act and Agency Privacy Management (July 25, 2007)
M-07-20, FY 2007 E-Government Act Reporting Instructions (August 14, 2008)
M-08-09, New FISMA Privacy Reporting Requirements for FY 2008 (January 18, 2008)
M-08-21, FY 2008 Reporting Instructions for the FISMA and Agency Privacy
Management (July 14, 2008)
M-09-29, FY 2009 Reporting Instructions for the Federal Information Security
Management Act and Agency Privacy Management (August 20, 2009)
M-10-06, Open Government Directive (December 8, 2009)
M-10-22, Guidance for Online Use of Web Measurement and Customization
Technologies (June 25, 2010)
M-10-23, Guidance for Agency Use of Third-Party Websites and Applications (June 25,
2010)
National Institute of Standards and Technology (NIST) Guidance










FIPS 199, Standards for Security Categorization of Federal Information and Information
Systems (February 2004)
FIPS 200, Minimum Security Requirements for Federal Information and Information
Systems (March 2006)
NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook (October
1995) Best Practices: Elements of a Federal Privacy Program June 2010 Av
NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems (September 1998)
NIST SP 800-16, Information Technology Security Training Requirements (April 1998)
NIST SP 800-30, Risk Management Guide for Information Technology Systems (July
2002)
NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal
Information Systems (February 2010)
NIST SP 800-39, DRAFT Managing Risk from Information Systems: An Organizational
Perspective, Second Public Draft (April 2008)
NIST SP 800-50, Building Information Technology Security Awareness and Training
Program (October 2003)
NIST SP 800-53, Recommended Security Controls for Federal Information Systems (Rev.
3, August 2009)
4








NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information
Systems (July 2008)
NIST SP 800-59, Guideline for Identifying an Information System as a National Security
System (August 2003)
NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to
Security Categories (August 2008)
NIST SP 800-61, Computer Security Incident Handling Guide (March 2008)
NIST SP 800-64, Security Considerations in the System Development Lifecycle (October
2008)
NIST SP 800-83, Guide to Malware Incident Prevention and Handling (November 2005)
NIST SP 800-100, Information Security Handbook: A Guide for Managers (October
2006)
NIST SP 800-122, Guide to Protecting the Confidentiality of PII (April 2010).
Government Accountability Office (GAO) Reports














GAO-09-759T, Governments Have Acted to Protect PII, but Vulnerabilities Remain
GAO-09-136, Continued Efforts Needed to Address Significant Weaknesses at IRS
GAO-08-795T, Congress Should Consider Alternatives for Strengthening Protection of
PII
GAO-08-536, Alternatives Exist for Enhancing Protection of Personally Identifiable
Information
GAO-08-343, Protecting Personally Identifiable Information
GAO-07-935T, Agencies Report Progress, but Sensitive Data Remain at Risk
GAO-07-870, DHS Needs to Immediately Address Significant Weaknesses in Systems
Supporting US-VISIT Best Practices: Elements of a Federal Privacy Program June 2010
Avi
GAO-07-837, Despite Reported Progress, Federal Agencies Need to Address Persistent
Weaknesses
GAO-07-751T, Persistent Weaknesses Highlight Need for Further Improvement
GAO-07-657, Lessons Learned about Data Breach Notification
GAO-07-1003T, Homeland Security Needs to Enhance Effectiveness of Its Program
GAO-06-897T, Leadership Needed to Address Weaknesses and Privacy Issues at
Veterans Affairs
GAO-06-866T, Leadership Needed to Address Information Security Weaknesses and
Privacy Issues
GAO-06-833T, Preventing and Responding to Improper Disclosures of Personal
Information
5