President Obama recently signed an Executive Order that bestowed upon the Office of the Program Manager for the Information Sharing Environment (PM-ISE) a new responsibility—going beyond sharing information to safeguarding information. The order provides clear directions on how to set machinery in place to reduce the possibility of data being inappropriately released from governmental systems, particularly those that contain classified information. This provision was a response to the Wikileaks publication of state department cables and other classified information that turned out to be an embarrassment, to say the least.
We could speculate on why the White House assigned this mission to the PM-ISE, but thinking about it, even just a little, results in the conclusion that this assignment makes perfect sense. The organization responsible for developing an environment for sharing information across government should surely care for the information, and build safeguards to protect it. Splitting the duties of sharing and protecting information would most likely result in neither one being done well. The PMISE also has the virtue of being a neutral force in the IT world, in that it operates nothing, argues nothing for its own use, and otherwise is committed to serving the “whole of government” (as beltway insiders like to say).
But this safeguarding function gets even more complicated and difficult when we begin to address it in the light of an information sharing environment that will cross jurisdictions and disciplines in government. One of the key requirements, seldom implemented in government computing systems, is to incorporate the notion of privilege in getting access to information. Privilege is the way information is compartmentalized in order to protect privacy and provide security, and becomes far more critical in information sharing across agency lines. Citing a narrow but particularly difficult small problem, think of juvenile data in a police records management system (RMS), where in most states, the access to this data is restricted to juvenile officers or participants in the juvenile justice system. The average patrol officer generally does not have broad access to these records. Now, when an investigator in another state seeks access to such records, how might the data be released without assuring the release is to a person defined under the originating state’s privacy laws as having a specific role that comes with a privilege of seeing such data?
Most people think of privilege management as being role based, so that if a user who has system access is defined to be in a specified role, then he or she may have the privilege of access. Crossing state lines or crossing the lines from state to federal agencies clearly complicates the decision about roles, even if we had a national directory of roles that everyone accepted and we have no such directory. The more sensitive the data becomes, the more specific the access is restricted. Many programs require training and testing in order to have the privilege of access (NCIC computerized criminal history data, for example).
There are hundreds of roles that would have to be defined and related, and definitions adopted in order to provide some discipline to privilege management by virtue of role based access. Standards would need to be developed by stakeholder organizations, such as the National Information Exchange Model (NIEM), to bring us to the point where a directory of roles, as they vary from state to state and federal agency to federal agency, can be relied upon to grant access by a service provider to users authenticated by a federated identity management system. This task can be done, but we are far from having finished it.