Today's Article
The study 'found
many control
weaknesses...relating
to the prevention and
detection of
unauthorized access
to passport
information.'
many control
weaknesses...relating
to the prevention and
detection of
unauthorized access
to passport
information.'
The American Spark
 |
 |
 |
 |
 |
Passport Files Not Properly Protected, Says Gov't Study
By Cliff Montgomery - July 22nd, 2008
This month, the inspector general for the U.S. State Department and the Broadcasting Board of Governors
released a damning audit of America's passport record controls.
The study "found many control weaknesses--including a general lack of policies, procedures, guidance, and
training--relating to the prevention and detection of unauthorized access to passport and applicant
information."
This matter is terribly important, as passport records contain such "personally identifiable information...as the
applicant’s name, gender, social security number, date and place of birth, and passport number." There
currently are about 127 million individuals holding U.S. passports, according to the study.
The weaknesses in passport data protection surfaced in March of this year, when three individuals were caught
snooping into the passport files of senators and presidential candidates Barack Obama (D-IL), Hillary Clinton,
(D-NY) and John McCain (R-AZ). The American Spark ran an interesting March story on that matter.
But that spying lead to this eye-opening audit, which discovered essential weaknesses in the U.S. passport
program. We quote some of the most pertinent sections of that report below:
"In March 2008, media reports surfaced that the passport files maintained by the Department of State
(Department) of three U.S. Senators, who were also presidential candidates, had been improperly accessed
by Department employees and contract staff.
"On March 21, 2008, following the first reported breach and at the direction of the Acting Inspector General,
the Office of Inspector General (OIG), Office of Audits, initiated this limited review of Bureau of Consular
Affairs (CA) controls over access to passport records in the Department’s Passport Information Electronic
Records System (PIERS).
"Specifically, this review focused on determining whether the Department (1) adequately protects passport
records and data contained in PIERS from unauthorized access and (2) responds effectively when incidents of
unauthorized access occur.
"As of April 2008, PIERS contained records on about 192 million passports for about 127 million passport
holders. These records include personally identifiable information (PII), such as the applicant’s name, gender,
social security number, date and place of birth, and passport number.
"PIERS offers users the ability to query information pertaining to passports and vital records, as well as to
request original copies of the associated documents. As a result, PIERS records are protected from release by
the Privacy Act of 1974. Unauthorized access to PIERS records may also constitute a violation of the
Computer Fraud and Abuse Act."
"With certain exceptions, the Privacy Act prohibits an agency’s release of information in an individual’s records
that includes, but is not limited to, information on an individual’s education; financial transactions; medical,
criminal, or employment history; and name or identifying number (i.e., Social Security number)."
"Under these provisions, PIERS records should be protected against any unauthorized access that could
result in harm, embarrassment, or unfairness to any individual on whom information is maintained."
"According to CA officials, there were about 20,500 users with active PIERS accounts as of May 2008, and
about 12,200 of these users were employees or contractors of the Department. PIERS is also accessed by
users at other federal agencies to assist in conducting investigations, security assessments, and analyses.
"These other federal entities are located across the United States and include the Department of Homeland
Security (DHS), the Federal Bureau of Investigation (FBI), and the Office of Personnel Management (OPM)."
"OIG found many control weaknesses--including a general lack of policies, procedures, guidance, and training--
relating to the prevention and detection of unauthorized access to passport and applicant information and the
subsequent response and disciplinary processes when a potential unauthorized access is substantiated.
"In some cases, Department officials stated that the lack of resources contributed to the lack of controls and
to the Department’s ability to assess vulnerabilities and risk. OIG has made 22 recommendations to address
the control weaknesses found."
"Of the 22 recommendations made by OIG, the Department generally agreed with 19, partially agreed with 1,
and did not concur with 2. Based on the responses, OIG considers 19 recommendations resolved and three
recommendations unresolved.
"To ensure that adequate and timely progress is achieved, OIG will conduct a follow-up compliance review of
the Department’s implementation of the recommendations in this report, as well as CA’s process for reviewing
possible unauthorized accesses by users as identified in OIG’s study."
Like what you're reading so far? Then why not order a full year (52 issues) of the The American Spark e-
newsletter for only $15? A major article covering an story not being told in the Corporate Press will be
delivered to your email every Monday morning for a full year, for less than 30 cents an issue. Order Now!
By Cliff Montgomery - July 22nd, 2008
This month, the inspector general for the U.S. State Department and the Broadcasting Board of Governors
released a damning audit of America's passport record controls.
The study "found many control weaknesses--including a general lack of policies, procedures, guidance, and
training--relating to the prevention and detection of unauthorized access to passport and applicant
information."
This matter is terribly important, as passport records contain such "personally identifiable information...as the
applicant’s name, gender, social security number, date and place of birth, and passport number." There
currently are about 127 million individuals holding U.S. passports, according to the study.
The weaknesses in passport data protection surfaced in March of this year, when three individuals were caught
snooping into the passport files of senators and presidential candidates Barack Obama (D-IL), Hillary Clinton,
(D-NY) and John McCain (R-AZ). The American Spark ran an interesting March story on that matter.
But that spying lead to this eye-opening audit, which discovered essential weaknesses in the U.S. passport
program. We quote some of the most pertinent sections of that report below:
"In March 2008, media reports surfaced that the passport files maintained by the Department of State
(Department) of three U.S. Senators, who were also presidential candidates, had been improperly accessed
by Department employees and contract staff.
"On March 21, 2008, following the first reported breach and at the direction of the Acting Inspector General,
the Office of Inspector General (OIG), Office of Audits, initiated this limited review of Bureau of Consular
Affairs (CA) controls over access to passport records in the Department’s Passport Information Electronic
Records System (PIERS).
"Specifically, this review focused on determining whether the Department (1) adequately protects passport
records and data contained in PIERS from unauthorized access and (2) responds effectively when incidents of
unauthorized access occur.
"As of April 2008, PIERS contained records on about 192 million passports for about 127 million passport
holders. These records include personally identifiable information (PII), such as the applicant’s name, gender,
social security number, date and place of birth, and passport number.
"PIERS offers users the ability to query information pertaining to passports and vital records, as well as to
request original copies of the associated documents. As a result, PIERS records are protected from release by
the Privacy Act of 1974. Unauthorized access to PIERS records may also constitute a violation of the
Computer Fraud and Abuse Act."
"With certain exceptions, the Privacy Act prohibits an agency’s release of information in an individual’s records
that includes, but is not limited to, information on an individual’s education; financial transactions; medical,
criminal, or employment history; and name or identifying number (i.e., Social Security number)."
"Under these provisions, PIERS records should be protected against any unauthorized access that could
result in harm, embarrassment, or unfairness to any individual on whom information is maintained."
"According to CA officials, there were about 20,500 users with active PIERS accounts as of May 2008, and
about 12,200 of these users were employees or contractors of the Department. PIERS is also accessed by
users at other federal agencies to assist in conducting investigations, security assessments, and analyses.
"These other federal entities are located across the United States and include the Department of Homeland
Security (DHS), the Federal Bureau of Investigation (FBI), and the Office of Personnel Management (OPM)."
"OIG found many control weaknesses--including a general lack of policies, procedures, guidance, and training--
relating to the prevention and detection of unauthorized access to passport and applicant information and the
subsequent response and disciplinary processes when a potential unauthorized access is substantiated.
"In some cases, Department officials stated that the lack of resources contributed to the lack of controls and
to the Department’s ability to assess vulnerabilities and risk. OIG has made 22 recommendations to address
the control weaknesses found."
"Of the 22 recommendations made by OIG, the Department generally agreed with 19, partially agreed with 1,
and did not concur with 2. Based on the responses, OIG considers 19 recommendations resolved and three
recommendations unresolved.
"To ensure that adequate and timely progress is achieved, OIG will conduct a follow-up compliance review of
the Department’s implementation of the recommendations in this report, as well as CA’s process for reviewing
possible unauthorized accesses by users as identified in OIG’s study."
Like what you're reading so far? Then why not order a full year (52 issues) of the The American Spark e-
newsletter for only $15? A major article covering an story not being told in the Corporate Press will be
delivered to your email every Monday morning for a full year, for less than 30 cents an issue. Order Now!