There is a risk that Department of Homeland Security personnel are unaware of the personal information and network activity Continuous Monitoring as a Service (CMaaS) collects and that inaccuracies won’t be corrected.
DHS conducted a privacy impact assessment (PIA) of CMaaS — specifically CDM agency dashboards — and found department personnel can’t be explicitly notified when their information is collected or what data was pulled.
“[A]ll DHS personnel may reasonably expect that personal information may be used for administrative, managerial, and security functions at their agencies of employment,” reads the assessment released Wednesday.
Information collected through CMaaS is compiled into customized reports on agency dashboards alerting security personnel to the most critical cybersecurity risks. Summary information then feeds onto a federal dashboard managed by the Cybersecurity and Infrastructure Security Agency for all of government to see.
CMaaS simply pulls data from authoritative sources that have already collected the information, and those systems may notify users, the assessment adds.
Logon banners, user agreements and the PIA itself already notify users of computer network monitoring, so they can forgo using federal systems or use them selectively to transmit information, according to the assessment.
DHS also found there are no procedures allowing federal employees to access their data on agency dashboards or the CMaaS tools and sensors collecting the information — let alone correct inaccuracies or errors.
Agency dashboards may only be accessed by DHS cybersecurity personnel, so users can only correct inaccuracies and errors by reaching back to the source systems CMaaS pulls data from. Those systems have their own procedures.
Still, it’s unlikely CMaaS will display misinformation because the information is already vetted by the source systems, according to the assessment.
Inaccuracies and errors also won’t impact employees directly.
“For example, CMaaS currently does not have the ability to shut off a user’s access to the network if it is determined that the individual does not have the appropriate BEHAVE attributes (e.g., a required training),” reads the assessment.