Privacy Risk Management

Related Laws, Policies, and Resources:

• OMB Circular A-130, Managing Information as a Strategic Resource (July 28, 2016)

  This Circular establishes general policy for the planning, budgeting, governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services. Among other things, it establishes that Federal agencies’ privacy programs have responsibilities under the Risk Management Framework.

• OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control (July 15, 2016)

  This Circular defines management’s responsibilities for enterprise risk management (ERM) and internal control. The Circular provides updated implementation guidance to Federal managers to improve accountability and effectiveness of Federal programs and mission-support operations through implementation of ERM practices and by establishing, maintaining, and assessing internal control effectiveness. Among other things, it provides considerations for managing privacy risks in Federal programs.

• OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy (September 15, 2016)

  This Memorandum revises policies on the role and designation of the SAOP. Among other things, it require the SAOP to manage privacy risks associated with any agency activities that involve the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII by programs and information systems.

• OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003)

  This Memorandum provides information to agencies on implementing the privacy provisions of the E-Government Act of 2002. Among other things, it includes policies and guidelines for when and how to conduct a PIA.

  A PIA is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

• NIST Special Publication 800-37 (Rev. 2), Risk Management Framework for Information Systems and Organizations (December 20, 2018)

  This Special Publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. Among other things, it describes the relationship between information security programs and privacy programs under the RMF.

• NIST Special Publication 800-53 (Rev. 5), Security and Privacy Controls for Information Systems and Organizations (September 23, 2020)

  This Special Publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

• Collaboration Index for Security and Privacy Controls (XLS) (October 1, 2022)

  This publication serves as a guide to help Federal information security programs and Federal privacy programs understand the level of collaboration that may be appropriate during the implementation step of the National Institute of Standards and Technology (NIST) Risk Management Framework. For each control and control enhancement listed in NIST Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, this publication provides a Collaboration Index value that denotes the level of collaboration that may be appropriate.