GPO's Privacy Program Inspection

View Report

Date Issued

Friday, July 29, 2022

Submitting OIG

Government Publishing Office OIG

Other Participating OIGs

Government Publishing Office OIG

Agencies Reviewed/Investigated

Government Publishing Office

Report Number

22-07

Report Description

The Office of the Inspector General (OIG), Inspections Division, reviewed the effectiveness and efficiency of the U.S. Government Publishing Office’s (GPO) Privacy Program and its management of personally identifiable information (PII).

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 10 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
2	No	$0	$0
Develop PIAs for the five untracked PII systems identified: HC Dashboard, APEC ABTC, DC One Card ID, Pentagon Contractors ID Card, and TWIC®.
3	No	$0	$0
Identify the mechanism to document confidentiality impact levels and document the confidentiality impact levels for all GPO PII systems.
4	No	$0	$0
Implement a process to conduct BU PII inventories and share the results with the Privacy Officer.
5	No	$0	$0
Conduct biennial Privacy Compliance Reviews in accordance with GPO’s Privacy Program directive.
6	No	$0	$0
Review all stored records to identify and mark which records contain or may contain PII.
8	No	$0	$0
Update the PIRT Framework and Procedures to incorporate the guidance for incident response plans from NIST Special Publication 800-122 and include comprehensive guidance, such as: a) defining team member roles and responsibilitiesb) defining key termsc) developing communication templatesd) ensuring notification of the appropriate individuals and organizations by identifying points of contact, including external entities, and how to contact them.
9	No	$0	$0
Update the PIHG to incorporate the guidance for incident response plans from NIST Special Publication 800-122 including comprehensive guidance, such as: a) ensuring the proper notification of the appropriate individuals and organizations when evaluating and responding to a suspected PII breach, by identifying points of contact, including external entities, and how to contact themb) stating what information is to be provided to US-CERT and the reporting method, such as through a phone call, email, or a websitec) stating how to document that the information was reported to US-CERT.
10	No	$0	$0
Develop and/or identify the one definitive method to report suspected PII breach incidents.
12	No	$0	$0
Implement a central training method to ensure employees and contractors receive PII training before accessing GPO’s information system. This method should include reassigning the responsibility for annual training to a single BU, likely Information Technology, and assigning BUs with the responsibility for specialized PII training.
13	No	$0	$0
Update the Privacy Program directive to reflect changes resulting from these recommendations.