Dangerous Data Practices: Why Federal Agencies Reporting “5 Things” To an Anonymous Mailbox Is a Security Risk

evarousseau
Eva Rousseau March 1, 2025
2 Comments

Introduction

As cybersecurity professionals and public sector employees, we often encounter directives that, while seemingly innocuous, can pose significant risks to our agencies and potentially violate federal laws and regulations. A recent case has come to light where a federal agency received a request from the Office of Personnel Management (OPM) for all agency staff to send weekly reports of their work activities to an unidentified email distribution at OPM (HR @ OPM.gov). This practice raises numerous red flags and likely violates several key federal regulations and laws.

The Risks Involved

1. Data Privacy and Security Concerns

Sending detailed work activity reports to an unverified email address poses substantial risks to data privacy and security. These reports may contain sensitive information about ongoing projects, employee activities, and potentially classified data. Without proper verification and secure transmission methods, this information could be intercepted or fall into the wrong hands.

2. Potential for Phishing and Social Engineering

The use of a generic email address (HR @ OPM.gov) for such reports is particularly concerning. This practice could easily be exploited by malicious actors through phishing attempts or social engineering tactics, tricking employees into divulging sensitive information to unauthorized parties.

Violations of Federal Laws and Regulations

1. FISMA Compliance Issues

The Federal Information Security Modernization Act (FISMA) of 2014 requires federal agencies to implement information security programs to protect government information and systems. The practice in question likely violates several NIST SP 800-53 Rev 5 controls, including:

  • AC-4: Information Flow Enforcement
  • SC-7: Boundary Protection
  • SI-19: De-Identification

These controls are designed to regulate the flow of information and protect sensitive data from unauthorized access or disclosure [1].

2. Privacy Act of 1974

The Privacy Act governs the collection, maintenance, use, and dissemination of personal information by federal agencies. Sending detailed work reports to an unverified email address could potentially violate this act by disclosing personal information without proper safeguards or consent [2].

3. Federal Records Act

The Federal Records Act requires agencies to preserve records that document the organization, functions, policies, decisions, procedures, and essential transactions of the agency. Sending reports to an external email address without proper documentation and retention procedures may violate this act [3].

Can These Laws Be Overridden?

It’s important to note that while the White House and Office of Management and Budget (OMB) have significant authority in directing federal agencies, they cannot unilaterally override established laws passed by Congress. The laws mentioned above (FISMA, Privacy Act, and Federal Records Act) are statutory requirements that can only be changed through the legislative process.

The OMB can issue guidance on how to implement these laws, but it cannot negate them. Even an executive order from the White House would be subject to judicial review if it appeared to contradict these established laws.

Conclusion and Recommendations

The practice of sending weekly work activity reports to an unverified OPM email address is not only risky but likely violates several federal laws and regulations. As public sector professionals and contractors, it’s our responsibility to uphold the highest standards of data security and compliance.

Recommendations for federal agencies:

  1. Verify the authenticity of any such requests through official channels.
  2. Implement secure methods for sharing sensitive information, such as encrypted file transfers or secure portals.
  3. Consult with agency legal counsel and information security officers before implementing any new reporting practices.
  4. Educate staff on the risks of phishing and the importance of data protection.

By adhering to these recommendations and maintaining vigilance, we can better protect our agencies’ sensitive information and ensure compliance with federal laws and regulations.

References:

[1] National Institute of Standards and Technology. (2020). Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53, Revision 5).

[2] United States Congress. (1974). The Privacy Act of 1974, 5 U.S.C. § 552a.

[3] United States Congress. (1950). Federal Records Act, 44 U.S.C. Chapter 31.

[4] United States Congress. (2014). Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283.

Categories: Uncategorized

Related Articles

Responses

Your email address will not be published. Required fields are marked *

Terms of Service | Privacy Notice

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .