FIMA’s electronic document, records management system mostly in compliance
A recent Department of Homeland Security Privacy Impact Assessment on FEMA’s Federal Insurance and Mitigation Administration’s (FIMA) Electronic Document and Records Management System (EDRMS) identified privacy risks DHS’s privacy office assured are being mitigated, but which the PIA said are only as good as policies and practices are obeyed.
Nevertheless, in accordance with Office and Management (OMB) Memorandum M-12-18 (OMB M-12-18) – documents and records must be managed in an electronic format, DHS assured FIMA’s conversion of paper documents for storage in EDRMS complies with OMB’s requirements.
EDRMS collects, disseminates, retrieves, and maintains a numerous variety of FIMA documents and copies of records with personally identifiable information (PII) – including a variety of biometric information — from FIMA organizations.
Many of the documents in EDRMS originate from federal directorates and offices, and contain highly sensitive PII. EDRMS also includes PII such as FEMA users’ username in the record’s metadata and its audit logs.
DHS 4300A Sensitive Systems Handbook provides specific techniques and procedures – including biometric solutions — for implementing the requirements of the DHS Information Security Program for DHS sensitive systems and systems that process sensitive information for DHS.
As the publication notes, Sensitive Personally Identifiable Information (SPII) includes, but is not limited to biometric identifiers such as fingerprint, voiceprint, iris scan, and photographic facial images. “PII also includes any other unique identifying number or characteristic, and any information where it is reasonably foreseeable that the information will be linked with other information to identify the individual,” the document states.
Documents are submitted to EDRMS for storage by the following FIMA directorates and offices: the Risk Management Directorate, Mitigation Directorate, Fund Management Directorate, Federal Insurance Directorate, the Office of Environmental Planning and Historic Preservation, FIMA Legal Division, FIMA Flood Insurance Advocate, and FIMA Office of the Associate Administrator.”
FIMA also uses EDRMS for document management and record management, and for conversion of paper documents to an electronic format in compliance with the National Archives and Records Administration (NARA) requirements, OMB management of federal records guidance and regulations, and executive directives. EDRMS is used as central storage of FIMA documents that are electronically scanned and that are not stored in other FIMA information technology (IT) systems.
FIMA’s “mission is to increase the capabilities necessary to reduce loss of life and property by lessening the impact of disasters. These capabilities include, but are not limited to, community-wide risk reduction projects; the transfer of flood risk through insurance; efforts to improve the resilience of critical infrastructure and key resource lifelines; risk reduction for specific vulnerabilities from natural hazards or acts of terrorism; and initiatives to reduce future risks after a disaster has occurred.”
PII contained in the system include:
• Bank routing numbers;
• Bank account numbers;
• Unique Identifier (e.g., employer identification number (EIN), recipient account numbers, or Data Universal Numbering System (DUNS) Number);
• Finance Unique Identification (number, employer/federal ID, etc.);
• Mailing address;
• Office phone number and extension;
• Office cellphone number;
• Office fax number; and
• Work email address;
Among the risks include EDRMS users inputting incorrect records classification or metadata information which can cause an EDRMS user to inadvertently access records without an appropriate need to know. But, “FEMA cannot fully mitigate this risk due to possible human errors inherent with entering information into a system,” the PIA revealed.
In addition, FIMA is over-collecting information with information being stored in paper files and digitally in EDRMS or other FIMA-related systems. But, “FEMA does not fully mitigate this risk. EDRMS is not a requirement for all of FIMA to use. Some offices, therefore, may continue to use paper records while some are able to benefit from the use of EDRMS. EDRMS does not connect to any other FEMA system with the exception of the FEN and the FEIMS for security and access control.
FEMA may also maintain inaccurate or outdated data within EDRMS. This risk is also not mitigated.
There is also a privacy risk by the originating FIMA offices which do not provide notice through their own PIA documentation. This privacy risk is only partially mitigated so far.
There is also the risk that data within EDRMS may be used for an unintended or unauthorized purpose.
The PIA states, “Only authorized EDRMS users have access to documents and records stored in EDRMS. The authorization to create an EDRMS user account is the responsibility of the EDRMS program managers, the EDRMS system owner, and the originating FIMA office. It is the responsibility of the originating FIMA office to ensure its EDRMS users use retrieved EDRMS documents in accordance with its PIA and its SORN. Users’ access to data and functionality is based on the users’ location, position description, projects, and EDRMS user role assignment. EDRMS users are required to annually sign Rules of Behavior.”
There is a risk that PII and other personal information within EDRMS may be erroneously disclosed outside of DHS. The PIA stated, “Access to EDRMS is extremely limited based on various EDRMS parameters, including location and role-based access granted only for those individuals who need to know the information to perform their jobs. Sharing of information … is tracked by FEMA’s Information Management Division and the EDRMS system.”
According to DHS, “EDRMS is accessible only by FIMA employees and contractors within FEMA’s Enterprise Network (FEN), and is not accessible by the public. The EDRMS Regional Administrator and the System Owner authorize access to EDRMS records and documents based on the EDRMS user’s position and region.
“Authorized FIMA users access EDRMS after successful authentication by the FEMA Enterprise Identity Management System (FEIMS) Single Sign-On (SSO) process using their Personal Identity Verification (PIV) cards,” according to FEMA, saying, “EDRMS includes functionality that restricts access to documents and data based on the user’s position and region. All user activity is logged and reviewed by the operating system administrator and the Information System Security Officer (ISSO).”
DHS said, “EDRMS institutes technical security controls, rules of behavior policies, security awareness communications, and other security processes, such as periodic audits and log reviews,” and that “only a relatively small group of authorized users have access to EDRMS, based upon specific, established responsibilities and permissions set within the system. Users include FEMA employees and contractors only. Individuals that engage in unauthorized access to EDRMS are subject to disciplinary action that can result in account termination or suspension. Additionally, FEMA ensures that the practices stated in this PIA are followed by leveraging standard operating procedures, which are updated annually.”
Additionally, the department stated, “EDRMS only allows authorized FEMA personnel access within the FEMA firewall and no public access is possible. EDRMS users gain access to the system through the FEIMS SSO using their PIV card. All EDRMS activity is logged and reviewed on a daily basis. Auditable events are retained for one year when there are no security incidents. If a security incident is reported, the audit logs are retained for three years after the end of the security event investigation. EDRMS security mechanisms (i.e., technical, operational, and managerial) are assessed based on DHS 4300A and National Institutes of Standards and Technology SP 800-53A. EDRMS is approved by FEMA and is included in the DHS Technical Reference Model.”
DHS’s 4300A Sensitive Systems Handbook incorporates NIST SP 800-53A.
NIST SP 800-53A states that in regards to Identifier Management and Multiple Forms of Certification, it should be “determine[ed] if the organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority.”
Regarding Authenticator Management and Biometric Authentication, NIST’s assessment objective is for federal agencies to determine if, for biometric-based authentication, the organization defines biometric quality requirements to be satisfied, and whether the information system employs mechanisms that satisfy organization-defined biometric quality requirements.