OBIM transferred to DHS management under long-stalled cyber legislation signed into law

The Department of Homeland Security’s (DHS) Office of Biometrics Identity Management (OBIM) is being transferred to DHS’s Management Directorate, DHS announced following President Trump signing the Cybersecurity and Infrastructure Security Agency (CISA) Act of 2018 into law, a required by the legislation. DHS said — providing a brief fact sheet along with the announcement – that, OBIM’s “placement within the DHS headquarters supports expanded collaboration and ensures OBIM’s capabilities are available across the DHS enterprise and the interagency.”

OBIM “shall” be administered by a “director with significant management experience and experience in biometrics and identity management,” the law requires. “The director [also] shall have specified duties, including leading DHS’s biometric identity services to support anti-terrorism, counterterrorism, border security, credentialing, national security, and public safety.”

CISA, which some have heralded as a “landmark” piece of legislation, “elevates the mission of the former National Protection and Programs Directorate (NPPD) within DHS, and establishes the Cybersecurity and Infrastructure Security Agency,” DHS said.

Originally introduced on July 24, 2017, by Rep. Mike McCaul (R-TX), it’s one of a number of bills impacting biometrics that have languished in Congress for a year or more.

CISA is responsible for protecting the nation’s critical infrastructure from physical and cyber threats, a mission that requires effective coordination and collaboration among a broad spectrum of government and private sector organizations.

DHS said, “CISA leads the national effort to defend critical infrastructure against the threats of today, while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow. The name CISA brings recognition to the work being done, improving its ability to engage with partners and stakeholders, and recruit top cybersecurity talent.”

CISA’s National Cybersecurity and Communications Integration Center (NCCIC) provides 24/7 cyber situational awareness, analysis, incident response and cyber defense capabilities to the federal government; state, local, tribal and territorial governments; the private sector and international partners.

It also “provides cybersecurity tools, incident response services and assessment capabilities to safeguard the ‘.gov’ networks that support the essential operations of partner departments and agencies.”

CISA further “coordinates security and resilience efforts using trusted partnerships across the private and public sectors, and delivers training, technical assistance, and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide,” and, “provides consolidated all-hazards risk analysis for US critical infrastructure through the National Risk Management Center.

“This legislation transforms NPPD into a new operational agency within the Department of Homeland Security and prioritizes our mission as the Federal leaders for cyber and physical infrastructure security,” said Christopher Krebs, Director, Cybersecurity and Infrastructure Security Agency. “The CISA Act elevates the cybersecurity mission within DHS and streamlines our operations to better secure the nation’s critical infrastructure and cyber platforms. CISA continues NPPD’s mission of leading the national effort to improve critical infrastructure security, coordinating the protection of the federal government’s networks and physical infrastructure, and helping entities in the public and private sectors manage risk.”

“Our mantra moving forward is ‘Defend Today, Secure Tomorrow.’ … CISA represents real progress in the national effort to improve our collective efforts in cybersecurity, and it improves our ability to engage with … our stakeholders.”

The responsibilities of the Cybersecurity and Infrastructure Security Agency Chief Privacy Officer (CPO) shall include the following, which senior DHS officials told Biometric Update “will have to incorporate biometrics” for personnel access to critical areas; information, data, and communications systems:

• Assuring that the use of technologies by CISA sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information;
• Assuring that personal information contained in systems of records of CISA is handled in full compliance as specified in section 552a of title 5, United States Code (commonly known as the ‘Privacy Act of 1974’);
• Evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by CISA; and;
• Conducting a privacy impact assessment of proposed CISA rules on the privacy of personal information, including the type of Personally Identifiable Information – including biometrics – that’s collected, and the number of people affected.

CISA must also “develop, in coordination with the Sector-Specific Agencies with available expertise, a comprehensive national plan for securing the key resources and critical infrastructure of the United States, including power production, generation, and distribution systems, information technology and telecommunications systems (including satellites), electronic financial and property record storage and transmission systems, emergency communications systems, and the physical and technological assets that support those systems.”

In addition, the new law requires that, “To establish and utilize, in conjunction with the Chief Information Officer [CIO] of the Department, a secure communications and information technology infrastructure, including data-mining [of PII and personal biometric data] and other advanced analytical tools, in order to access, receive, and analyze data and information in furtherance of the responsibilities under this section, and to disseminate information acquired and analyzed by the department, as appropriate.”

CISA’s director is also charged with:

• Cybersecurity and critical infrastructure security programs, operations, and associated policy for CISA, including national cybersecurity asset response activities;
• Coordinating with federal entities, including Sector-Specific Agencies, and non-federal entities, including international entities, to carry out the cybersecurity and critical infrastructure activities of CISA, as appropriate;
• Carrying out the responsibilities of the DHS Secretary to secure federal information and information systems consistent with law, including subchapter II of chapter 35 of title 44, United States Code, and the Cybersecurity Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113));
• Coordinating a national effort to secure and protect against critical infrastructure risks, consistent with subsection (e)(1)(E);
• Upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and, where appropriate, provide those analyses, expertise, and other technical assistance in coordination with Sector-Specific Agencies and other federal departments and agencies;
• Developing and utilizing mechanisms for active and frequent collaboration between CISA and Sector-Specific Agencies to ensure appropriate coordination, situational awareness, and communications with Sector-Specific Agencies;
• Maintaining and utilizing mechanisms for the regular and ongoing consultation and collaboration among the divisions of CISA to further operational coordination, integrated situational awareness, and improved integration across the agency in accordance with the law;
• Developing, coordinating, and implementing a comprehensive strategic plans for the activities of the agency; risk assessments by and for the agency; carry out emergency communications responsibilities, in accordance with title XVIII; carry out cybersecurity, infrastructure security, and emergency communications stakeholder outreach and engagement and coordinate that outreach and engagement with critical infrastructure Sector-Specific Agencies, as appropriate; and, carry out such other duties and powers prescribed by law or delegated by the DHS Secretary.

The new law mandates that the responsibilities of the DHS Secretary relating to cybersecurity and infrastructure security also includes accessing, receiving, and analyzing law enforcement information, intelligence information, and other information from federal government agencies, state, local, tribal, and territorial government agencies, including law enforcement agencies, and private sector entities, and to integrate that information, in support of the mission responsibilities of the department, in order to:

• Identify and assess the nature and scope of terrorist threats to the homeland;
• Detect and identify threats of terrorism against the United States; and
• Understand those threats in light of actual and potential vulnerabilities of the homeland.

Comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the US, including the performance of risk assessments to determine the risks posed by particular types of terrorist attacks in the US — including an assessment of the probability of success of those attacks and the feasibility and potential efficacy of various countermeasures to those attacks – the DHS secretary, at his/her discretion, “may be carried out in coordination with Sector-Specific Agencies,” and, “to integrate relevant information, analysis, and vulnerability assessments, regardless of whether the information, analysis, or assessments are provided or produced by DHS, in order to make recommendations, including prioritization, for protective and support measures by the department, other federal government agencies, state, local, tribal, and territorial government agencies and authorities, the private sector, and other entities regarding terrorist and other threats to homeland security.”

Both senior DHS and Intelligence Community [IC] officials told Biometric Update on background that, as one put it, “pretty much all such assessments – some in real-time if there’s actionable intelligence – will necessarily require biometrically-enabled personnel, like analysts, to have to access any number of data systems containing biometric PII if they’re going to be able to connect the dots, especially in cooperation with other intelligence agencies, and, I’m assuming, with cooperation from the Four Eyes,” a reference to Australia, Canada, New Zealand, and the United Kingdom, which, along with the US, comprise an alliance (officially known as “Five Eyes” (FVEY)) bound by the multilateral UKUSA Agreement for joint cooperation in signals intelligence, military intelligence, and human intelligence.

Indeed. The requires the DHS secretary to “ensure, pursuant to section 202, the timely and efficient access by the department to all information necessary to discharge the responsibilities under this title, including obtaining that information from other federal government agencies,” as well as disseminating, “as appropriate, information analyzed by the department within the department to other federal government agencies with responsibilities relating to homeland security, and to state, local, tribal, and territorial government agencies and private sector entities … in order to assist in the deterrence, prevention, or preemption of, or response to, terrorist attacks against the United States.”

Of course, the law requires that “any material received pursuant to this Act is protected from unauthorized disclosure and handled and used only for the performance of official duties,” which, emphasized one of the officials who spoke to Biometric Update, “are obviously going to have to have strict biometric security access controls of one kind or another in place” – as pursuant to various laws, National Institute of Standards and Technology guidelines and directives, DHS’s Privacy Office’s recent Data Mining Report to Congress, DHS’s Biometrics Strategic Framework 2015-2025, etc.

And then there’s the additional scrutiny that Congress has put on DHS’s use of biometrics, as Biometric Update has reported. While the recently passed Transportation Security Administration [TSA] Modernization Act, for example, empowers TSA to expand field operations testing of advanced screening technologies, especially biometrics, it also puts somewhat of new reigns on biometric usage.

Pursuant to the new law, under “Biometric Expansion,” the TSA Administrator and the Commissioner of Customs and Border Protection (CBP) “shall consult with each other on the deployment of biometric technologies,” and under a new “Rule of Construction,” the CBP Commissioner “shall” not “facilitate or expand the deployment of biometric technologies, or otherwise collect, use, or retain biometrics, not authorized by any provision of or amendment made by the Intelligence Reform and Terrorism Prevention Act of 2004, or the Implementing Recommendations of the 9/11 Commission Act of 2007, without the DHS secretary first submitting “to the appropriate committees of Congress, and to any member of Congress upon the request of that member, a report that includes specific assessments from the [TSA] Administrator and the Commissioner of [CBP] …”

Furthermore, while Congress recently passed legislation imposing potentially expensive – but unfunded –reporting and compliance requirements on CBP and TSA programs to expand their use of biometrics, as reported by Biometric Update, DHS’s Privacy Office’s 2018 annual report to Congress said preventing terrorism through biometrics is among the numerous biometric priorities it will put under scrutiny in the new federal fiscal year, which began in October. DHS’s Privacy Office indicated it will be keeping a close eye on the use of biometrics across the entire DHS enterprise with regard to keeping biometric related privacy issues in check pursuant to federal laws. The Privacy Office said it “is working closely with CBP to ensure that facial recognition technology used to verify a traveler’s identity is implemented in a privacy-protective manner, as required by federal mandates.”

The CISA Act mandates DHS establish “a secure communications and information technology infrastructure, including data-mining and other advanced analytical tools, in order to access, receive, and analyze data and information in furtherance of the responsibilities under [the Act], and to disseminate information acquired and analyzed by the department, as appropriate,” including vetting of all “consumers of information provided by” DHS to expedite “identification and sharing of information revealed in their ordinary duties and the optimal utilization of information received from” DHS.

The bill also provides the DHS Secretary “the flexibility to determine an alignment of the Federal Protective Service (FPS) that best supports its critical role of protecting federal employees and securing federal facilities across the nation and territories.”

The legislation’s language “authorizes the Secretary of Homeland Security to transfer the Federal Protective Service to any component, directorate, or other office at DHS.”

This could prove a daunting task, considering the embarrassing number of Government Accountability Office (GAO) audits of FPS pointing out serious physical and internal access controls. Indeed, FPS has come under fire – including by its own personnel and contract security personnel at many facilities over the lack of biometrics or malfunctioning biometrics; problematic personnel CACs and other PII access cards; malfunctioning readers and a wide variety of other external and internal access security problems, an FPS contractor divulged to Biometric Update.

Article Topics

biometrics  |  cybersecurity  |  DHS  |  Five Eyes  |  identity management  |  legislation  |  OBIM  |  United States