Enclosed please find the Federal Election Commission's (FEe) Privacy Act Report
for fiscal year 2009 pursuant to Section 522 of the Consolidated Appropriations Act (2005).
Respectfully submitted,
Enclosure
FEDERAL ELECTION COMMISSION
WASHINGTON, D.C. 20463
Most importantly, we are pleased to report that in fiscal year 2009 the Federal Election
Commission ("FEC" or "Commission") had no physical or electronic incidents resulting in the
loss of, or unauthorized access to, personally identifiable information contained in its electronic
or physical systems. The Commission did not receive any privacy complaints nor was it a party
to Privacy Act litigation in fiscal year 2009.
The FEC has always taken very seriously the need to protect the privacy of information
entrusted to it. Our efforts in this regard are substantial given that we are among the smallest of
federal agencies with fewer than 400 employees and the fact that our budget does not include any
specific provisions for privacy compliance. During fiscal year 2009, we pursued several
activities to improve agency privacy policies and to implement the Privacy Act fully:
• The Commission is currently developing a Privacy page for the FEC intranet
(FECnet) which will include links to the Agency's privacy policies and
procedures, information on contacting the Chief Privacy Officers (through
Privacy@fec.gov), information on filing Privacy complaints, links to the
Agency's system of records notices, and other useful information on protecting
PIT and privacy;
• The FEC reviewed its privacy practices during the course of preparing its annual
Privacy Management Report and timely submitted the report to the Office of
Management and Budget ("OMB"); and
3
n Review of Legislati~e and Regulatory Prop~sals
Section 522 requires that the Chief Privacy Officer evaluate legislative and regulatory
proposals that affect privacy.
The Commission adopted new regulations in fiscal year 2009 implementing the bundled
contribution disclosure provisions of the Honest Leadership and Open Government Act, Pub. L.
110-81 (121 Stat. 735), § 204. Under these rules, authorized committees of candidates for
Federal office, "leadership PACs," and political party committees must disclose certain
information about, among other entities, each person reasonably known by the reporting
committee to be a registered lobbyist who forwards, or is credited with forwarding, to the
reporting committee two or more "bundled" contributions aggregating within a threshold amount
during a specified period of time. This rule, 11 C.F.R. § 104.22(b), tracks the core disclosure
provisions of the statute. It will increase both the collection and dissemination of personal
information about individuals in the following ways. First, it will lead to the identification of
certain registered lobbyists as "bundlers" of campaign contributions. Second, it will result in the
disclosure of the addresses and employers of these individuals. Third, it will result in disclosure
of the amounts "bundled" by these individuals. All of the new information to be collected and
disseminated is specifically required by statute, 2 U.S.C. § 434(i)(1), to be both collected and
disclosed to the public.
Administrative Safeguards
The Commission's enabling statute, the Federal Election Campaign Act (FECA), as
amended, provides important administrative safeguards. Specifically, the FECA prohibits the
without written consent of the person whom the complaint or investigation is about. See 2
U.S.c. § 437g(a)(4)(B)(i) and (12)(A). Failure to comply with these FECA prohibitions may
In accordance with FEC policies, all FEC staff and contractors working off-site must
keep information relating to their work on the FEC network to the extent that the technology
available at field.1ocations allows and th.us minimize the amoun~ of infonnation kept on laptop,
. or local, hard drives. Mindful of the need for security when FEC laptops leave the building; the
FEC encrypted the hard drives of all FEC laptops and configured them to require two-factor
authentication for access.
Contractors working for the FEC are required to comply with the Privacy Act through
Commission contracts that incorporate Privacy Act language or addendums. Moreover,
contractors with access to personal infonnation are required to sign nondisclosure agreements
which bind them to FEC privacy policies prior to having access to our systems. They are also
required to comply with Commission Infonnation System Security policies when accessing
Commission infonnation resources. For instance, if a contractor uses a laptop, the system must
meet the FEC security requirements. At the end of a contract, the contractor must ensure that
any FEC data on the contractor's laptop has been removed. Any device a contractor uses for
remote access to the Commission's network must be encrypted, must use a two factor
authentication, and must include a 30 minute time-out function. FEC staff and contractors are
advised on the proper handling of agency data and encouraged to save FEC data to their network
folders especially when perfonning work off-site. On the rare occasion when staff and
contractors have to save FEC data on a local hard drive, they are advised to move the data to a
network folder in a timely manner and use a wiping program to ensure the data has been properly
erased.
Individuals who access infonnation the FEC publishes about candidate and committee
activity are reminded that that infonnation may not be sold, used for commercial purposes, or
With respect to its website, the FEC does not collect anything other than statistical data
from browsers who access its website. It collects personal infonnation from individuals who
request infonnation or download data, but it does so only with the express pennission of the
http://www.fec.gov/privacy.shtml.
Technical Safeguards
The FEC's technical safeguards for personally identifiable infonnation are based on the
classification of that infonnation as sensitive infonnation. The protection of sensitive
infonnation is the foundation ofthe Commission's Infonnation System Security Program, a
comprehensive agency-wide program designed to ensure the confidentiality, integrity, and
availability ofinfonnation systems and data and aimed at protecting the overall FEC computing
environment.
... The FEC'? technical safeguards include, inter alia, identification and authorization,
logical access, and monitoring. Identific~tion and authorization: or access control, are technical
safeguards that prevent unauthorized people (or unauthorized processes) from entering an
information technology system. All FEC information systems that contain personally
identifiable information must conform to the Commission's identification and authorization
policies: the 58-3.1 Logical Access Policy, the 58-2.2 Account Management Policy, and the
FEC Password Standard.
The 58-3.1 Logical Access Policy safeguards information against unauthorized use,
disclosure, modification, damage, and loss through the use of automated mechanisms that restrict
logical access to FEC electronic information to authorized users, and uses automated procedures
to base information access on actual business needs. This policy takes into consideration
authorization, identification, authentication, privacy, and user profiles and identification.
The 58-2.2 Account Management Policy ensures that FEC information system user
accounts are consistently authorized and validated. This policy provides for individual
accountability in automated transactions, consistent adherence to user identification code
standards across FEC applications and platforms, and the protection of user accounts from
probing by unauthorized users.
The FEC Password 'standard reduces the likelihood of a successful brute force attack.
This standard takes into account the current state of computer system performance, and current
password cracking programs' capabilities.
In addition, the FEC employs a number of other policies and stan.dards as technical
safeguards: the 58-3.3 Auditing and Monitoring Policy (which enables the Commission's
technical personnel to detect potential threats to electronic information, and record selected
system activities that will be stored with integrity, and reviewed by management on a regular
basis to detect problems); the 58-2.11 Security Review Policy (which provides for the continuous
review of information systems for compliance with approved policies, procedures, and
standards); the 58-3.2 Application and Operating System Security Policy (which covers the use,
modification, and configuration of computing resource applications and operating systems); the
58-4.2 Media Management Policy (which governs the FEC electronic media life-cycle and
addresses interruptions of Commission business processes due to damage, theft, or unauthorized
access to computer-related media); and the 58-3.6 Malicious Code Policy (which covers the
prevention, detection, and repair of damage resulting from malicious code).
Firewalls control the processes and users who have external access to the FEC network.
Intelligent switches protect resources by segregating users from certain segments of the network.
Intrusion detection hardware and other network monitoring software alert administrators when
anomalies occur. The Commission has also upgraded its directory services system and has thus
enhanced the Commission's ability to manage its access control capabilities. In addition, the
FEC maintains and reviews access logs (paper and electronic) for its data center.
The FEC employs a three-layered virus prevention strategy that prevents malicious
software from propagating throughout the Commission. This three-layered strategy limits a
hacker's ability toplant listening devices ~n the Commission's network and/or computer systems
to collect and retrieve sensitive information. ' ' , . .
SAVVIS Inc. provides the web hosting services for the Commission's Internet presence.
It also maintains the operating system for the Commissions' website. SAVVIS has passed an in
depth audit of information technology safeguards under Statement on Auditing Standards No. 70,
Service Organizations, an internationally recognized auditing standard developed by the
American Institute of Certified Public Accountants. SAVVIS is also contractually bound to the
Privacy Act and FEC privacy policies through GSA Order clauses. The FEC uses a web server
software package, which has a good reputation as a secure product. The web servers are
protected by hardware firewalls that permit public access only through specified protocols, thus
limiting the website's vulnerability to hackers. FEC and SAVVIS administrative personnel can
only access the servers via a secure set of standards and an associated network protocol that
establishe's a secure channel between a local and a remote computer by way of public-key
cryptography. All communication to the servers (including usernames and passwords) is thus
encrypted.
The FEC has instituted a real-time Intrusion Detection System (IDS). An intrusion
detection system is used to detect several types of malicious behaviors that can compromise the
security and trust of a computer system. This includes network attacks against vulnerable
services, data driven attacks on applications, host based attacks such as privilege escalation,
unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and
worms).
The Commission uses an automated process to ensure that accounts not accessed in a
specified time are automatically disabled.
The Commission has also increased the frequency of its external and internal network
scanning for system vulnerabilities to monthly and bi-weekly, respectively. We have contracted
with two separate vendors to perform biannual independent penetration tests in order to evaluate
1 Certification and accreditation programs are required under the Federal Information Security Management Act
(FISMA), from which the FEC is exempt. However, the Commission recognizes the importance of properly
identifying vulnerabilities in its systems and implementing proper security controls and safeguards to protect its
information. Accordingly, it has developed its own certification and accreditation program to fulfill these purposes,
"Major agency system" for the purposes of this report is defmed as any electronic system which directly affects the
mission of the agency (e.g. presidential matching funds system, the LAN network system, disclosure database).
· infrastructure security. In addition, the Commission has contracted with Microsoft to perform a
Security Health Check to evaluate our current processes and conffgurations against published'
Microsoft security guidance. The Security Health Check is a proactive security engagement
designed to assist customers with avoiding compromises on hosts and network environments.
In addition, the Commission uses a Microsoft patch policy to secure its workstations from
various attacks identified by Microsoft, and thus, no longer relies on users to update their
laptops/workstations with Microsoft patches. The FEC automatically pushes and installs the
patch(es) to users. Moreover, the FEC has implemented new authentication technology for its
Microsoft Windows environment, designed to enhance authentication, integrity and
confidentiality services, and the elimination of vulnerabilities found in prior Windows versions.
Employees of the Audit Division, who regularly travel outside of the office to conduct
audits of committees and campaigns, were provided with encrypted USB drives to ensure
protection of both the sensitive data collected by the auditors, and any FEC data contained on the
drives.
The FEC Office of Information Technology (OIT) and Office of Human Resources
(ORR) established a working group to implement more stringent procedures regarding the
termination of network access when employees and contractors are separated from the agency.
As a result of this collaboration, on December 7,2009 the agency went live with the FEC Access
System (FAS), an electronic system that will track staff and contractors from the start oftheir
employment at the Commission to exit, and will allow managers to request and document
changes in network and application access. All new hires, transfers, account modifications, and
terminations will now be processed through this system. The implementation ofFAS will aid the
agency in ensuring that after separation of FEC employment or termination of contracts,
employee and contractor user accounts are disabled and equipment is properly returned to the
FEe.
The Commission has implemented a policy (which uses Department of Defense Standard
5220.25-M) of sanitizing the hard drives of any computer system prior to issuing to another
employee or sending out for replacement.
The Commission, in conjunction with the Office of Personnel Management (OPM), has
completed Phase I of its Official Personnel Folders (OPF) electronic conversion project.
Currently OHR has converted the OPFs to electronically stored folders (eOPFs) and has archived
the paper folders, thus enhancing the security of employees' PII. In addition, all new documents,
such as SF50's, are sent directly to the employee's eOPF, which restricts access to the employee
PII information while also reducing the amount of paper records in the Agency. ORR uses this
system exclusively for all OPF related activities. ORR is currently working on Phase II of the
OPF conversion project which will allow employees to access their own OPF information.
Phase II is scheduled for full implementation before the end of calendar year 2010.
Physical Safeguards
The Commission has established physical safeguards that it believes are commensurate
with the risk associated with and the sensitivity ofthe information in its possession. Security
guards staff the building entrance and employees are required to show identification before
entering. Effective 'January 2009, these guards were armed. Individuals who wish to research'
Commission public records are restricted to an area of the building that includes only public
records, and all other visitors require an employee escort. Privacy screens have been installed on
computer screens where there is a substantial likelihood that personal information may be
viewed by passers-by.
Commission policies require that paper and microfilm records are kept in limited access
areas under the personal surveillance of Commission employees during working hours and in
locked rooms during non-working hours, that CD-ROMs related to audits and investigations be
kept in locked file cabinets, and that paper records related to audits and investigations be kept in
locked safes in limited access areas of the building. Auditors in the field are instructed to keep
their audit documents under personal supervision or in locked cases. Employees with access to
payroll and travel records are advised to maintain the records in locked file cabinets in cipher
locked rooms. The Office of General Counsel has recently informed all of its employees to
report broken locks, or locks for which there are no keys, so that they may be repaired. Repair
efforts are expected to begin in the near future. All employees are advised that documents
containing sensitive information, including personal information, must be shredded prior to
disposal. To encourage safe disposal of sensitive documents, every floor in the Commission has
been outfitted with confidential and locked shred bins for employee use. We plan on continuing
to work closely with the FEC's Administrative Officer to improve physical security of sensitive
information and ensure the physical security policies are adhered to by employees.
Respectfully submitted,
Date: /1//5/
, , 0 7
Alec Palmer
Co-Chief Privacy Officer
Date: / 2.//S~/()q
'/ I I
10