Sunday, April 4, 2021

CISA Publishes Subpoena Privacy System of Records Notice – 4-5-21

On Monday (available on line today) CISA is publishing a notice in the Federal Register (86 FR 17616-17619) announcing a new Privacy Act system of records to support CISA’s new subpoena authority. This new system of records will allow CISA to “to receive and collect customer or subscriber contact information from electronic  communications service providers to identify and notify entities at risk of security vulnerabilities  relating to critical infrastructure information systems and devices.” The new subpoena authority was provided to CISA by §1716(a)(3) of the FY 2021 National Defense Authorization Act.

The notice includes information on:

Purpose of the system,

Categories of records in the system,

Routine use of records,

Record retention and disposal,

Record access procedures, and

Contesting record procedures.

CISA is soliciting public comments on this new system of records. Comments may be submitted via the Federal eRulemaking Portal ( Docket # CISA-2021-0004). Comments should be submitted by May 5th, 2021. The effective date for this system of records will be April 5th, 2021, the date of publication of the notice. Routine use of the system of records will not start until May 5th.


These ‘system of records notices’ are about as pro forma as legal notices get. The agency attorneys and privacy people have poured over them to ensure that all of the I’s have been dotted and the T’s crossed. Having said that, I do have a couple of suggestions about how this notice (and others like it) could be improved.

First, the notice states that the information will be Controlled Unclassified Information (CUI). The basic rules for the protection of CUI are laid out in 32 CFR 2002. Additional requirements may be set forth by the individual program operating specific types of CUI. That means that a full understanding of the rules protecting the information labeled as CUI can only be had if the particular type of CUI is designated. I suspect that in this case it will be Protected Critical Infrastructure Information (PCII), but it would be helpful if CISA (in this particular case) would specify that in this Notice.

This CUI issue also relates to my second suggestion. Under ‘Policies and Practices for Storage of Records’ the Notice simply lists:

“Records in this system are stored electronically or on paper in secure facilities in a locked drawer behind a locked door.”

The rules of §2002 for the storage of CUI are a tad bit more complicated than that, and the term ‘stored electronically’ provides no information, however sketchy, about how the information is protected in electronic format. In this day and age, and particularly from a cybersecurity agency, this lack of attention to electronic security is unforgiveable. At the very least there should be an ‘in accordance’ reference to 6 CFR 2002 and I think that a cybersecurity agency could be expected to also reference FIPS Pub 199 and NIST SP 800-171 which are required standards from the CUI regulations {§2002.14(h)(2)}.

NOTE: A copy of this post will be submitted as a comment on this Notice.

No comments:

/* Use this with templates/template-twocol.html */