On Monday (available on line today) CISA is publishing a
notice in the Federal Register (86
FR 17616-17619
) announcing a new Privacy Act system of records to support
CISA’s new subpoena authority. This new system of records will allow CISA to “to
receive and collect customer or subscriber contact information from electronic  communications service providers to identify
and notify entities at risk of security vulnerabilities  relating to critical infrastructure
information systems and devices.” The new subpoena authority was provided to CISA
by §1716(a)(3) of the FY 2021
National Defense Authorization Act

The notice includes information on:

Purpose of the

Categories of
records in the system,

Routine use of

Record retention
and disposal,

Record access procedures,

Contesting record

CISA is soliciting public comments on this new system of
records. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov: Docket # CISA-2021-0004).
Comments should be submitted by May 5th, 2021. The effective date for
this system of records will be April 5th, 2021, the date of
publication of the notice. Routine use of the system of records will not start
until May 5th.


These ‘system of records notices’ are about as pro forma as
legal notices get. The agency attorneys and privacy people have poured over
them to ensure that all of the I’s have been dotted and the T’s crossed. Having
said that, I do have a couple of suggestions about how this notice (and others
like it) could be improved.

First, the notice states that
the information will be Controlled Unclassified Information (CUI). The basic
rules for the protection of CUI are laid out in 32
CFR 2002
. Additional requirements may be set forth by the individual program
operating specific types of CUI. That means that a full understanding of the rules
protecting the information labeled as CUI can only be had if the particular
type of CUI is designated. I suspect that in this case it will be Protected
Critical Infrastructure Information
(PCII), but it would be helpful if CISA
(in this particular case) would specify that in this Notice.

This CUI issue also relates to my second suggestion. Under ‘Policies and Practices
for Storage of Records
’ the Notice simply lists:

“Records in this system are stored
electronically or on paper in secure facilities in a locked drawer behind a
locked door.”

The rules of §2002 for the storage of CUI are a tad bit more
complicated than that, and the term ‘stored electronically’ provides no
information, however sketchy, about how the information is protected in electronic
format. In this day and age, and particularly from a cybersecurity agency, this
lack of attention to electronic security is unforgiveable. At the very least
there should be an ‘in accordance’ reference to 6 CFR 2002 and I think that a
cybersecurity agency could be expected to also reference FIPS
Pub 199
and NIST
SP 800-171
which are required standards from the CUI regulations {§2002.14(h)(2)}.

NOTE: A copy of this post will be submitted as a comment on
this Notice.

By admin