Security Experts:

OMB Publishes Memorandum on U.S. Federal Data Strategy

"Data is the new oil," said mathematician Clive Humby in 2006 when designing a supermarket clubcard. But like crude oil, it is what can be extracted (in this case, information) that is truly valuable and drives both government and business. For information to be valuable, it must come from as much accurate data as possible. This is the purpose of the U.S. Federal Data Strategy -- to allow cross-state federal agencies to combine and share federal data safely and securely; to turn siloed federal data into Big Federal Data.

On June 4, 2019, the Office of Management and Budget published its framework (PDF) for the Federal Data Strategy. At the same time, the Federal Data Strategy development team published a draft one-year Action Plan (PDF) open for public comment until July 5, 2019. The hope is that within five to ten years of one-year plans, the Federal Data Strategy will be in full operation.

The OMB document defines the Strategy in three parts: mission statement, principles, and practices. The mission is simple: "to leverage the full value of Federal data for mission, service, and the public good by guiding the Federal Government in practicing ethical governance, conscious design, and a learning culture." The Strategy, said Federal CIO Suzette Kent, is changing the way agencies use data to improve operations and deliver services as well as making it easier for citizens and businesses to access and use data to spur the economy.

Joseph Stuntz, director of federal at Virtru, a data protection, sharing and privacy firm, is optimistic. "I think the Federal Data Strategy is absolutely a step in the right direction," he told SecurityWeek. "First, it shows consistency in priority and process for agencies as they have a separate action plan for the next year which is out for public comment, and will be easier to track and measure against, while tying back to the Cross-Agency Priority (CAP) Goal on Leveraging Data as a Strategic Asset." This is CAP Goal No 2 in the President's Management Agenda.

The framework itself comprises ten principles (comprising ethical governance, conscious design, and learning culture), and a further 30 practices separated into 'building a culture that values data and promotes public use', 'governing, managing and protecting data', and 'promoting efficient and appropriate use'.

The principles, says the OMB, "are intended to guide federal and federally-sponsored data management activities, be they programmatic, statistical, or mission-support." They are guidelines. The practices are more aligned with what needs to be done, starting, for example with, 'Identify data needs to answer key agency questions'.

The security elements of the Strategy primarily appear in the second section of the practices that focuses on governing, managing and protecting data. For example, the thirteenth practice is 'protect data integrity': "Emphasize state-of-the-art data security as part of Information Technology security practices for every system that is refreshed, architected, or replaced to address current and emerging threats; foster innovation and leverage new technologies to maintain protection," states the Strategy document.

This is perhaps one of the most challenging areas of the Strategy. "This connection between generating value while maintaining privacy and the protection of data is critical," said Stuntz. "By promoting privacy and data protection throughout the documesnt, that will hopefully build trust in the execution of the policy as the sharing of data can only happen when there is trust. Without the sharing of data inside or between agencies, and between government and outside government, many important government missions will not be successful."

The twenty-third practice is 'allow amendment': "Establish clear procedures to allow members of the public to access and amend federal data about themselves, as appropriate and in accordance with federal laws, regulations and policies, in order to safeguard privacy, reduce potential harm from inaccurate data, and promote transparency."

The Strategy is largely as expected, being close to a draft that was released in October 2018. The number of practices, however, has been reduced from 47 to 40 -- but more through streamlining and combination than pruning.

What is new, however, is the second document: the draft 2019-2020 Federal Data Strategy Action Plan developed jointly by OMB, the Office of Science and Technology Policy, the Department of Commerce, and the Small Business Administration. This specifies what steps toward the Strategy must be accomplished in the first year. The Action Plan describes three categories of actions to be implemented: shared (eight separate actions), community (three actions), and agency-specific (five actions).

Shared actions are led by a single agency or existing council for the benefit of all. "They provide government-wide thought leadership, direction, tools, and/or services for implementing the Federal Data Strategy," says the Action Plan. Each action has a specified lead agency, and is related to one or more of the Strategy's 40 practices. So, for example, Action 2 is 'develop a curated data science training and credentialing catalog', led by the General Services Administration and related to the 'increase capacity for data management and analysis' practice (#27).

Community actions are undertaken by a group of agencies around a common topic. "They represent ongoing, mature, cross-agency priorities that will use the Federal Data Strategy practices and implementation guidance to more quickly and consistently achieve their goals," says the plan. For example, Action 9 is 'improve data resources for AI research and development'. It involves all agencies and is related to the 'promote wide access' practice (#33).

Agency-specific actions are undertaken by all agencies and are designed to build capacity using currently available agency resources. "They set expectations for progress and success in implementing the practices," says the Action Plan. For example, Action 16 is 'identify priority datasets for agency open data plans'. It involves all agencies and, like Action 9, is related to the 'promote wide access' practice (#33).

The current Action Plan is a draft, and is open for public comment until 5 July 2019. The Federal Data Strategy development team will then publish a final version in September 2019. "By one year after the release of this Action Plan," says the team, "the Federal Government will have begun to implement the Federal Data Strategy through a set of fundamental actions." Thereafter, they publish additional one-year plans for as long as necessary, but expected to be between five and ten years.

Interestingly, the initial OMB document mentions but makes little of the commercialization of federal data. Similarly, 'commercialization' does not appear at all in the Action Plan. Nevertheless, commercialization is a recognized purpose of the Strategy: "Enabling external users to access and use government data for commercial and other public purposes spurs innovative technological solutions and fills gaps in government capacity and knowledge," states the Federal Data Strategy website.

It makes sense to leave possible commercial opportunities until after the Strategy is solid. One obvious commercial opportunity is the combination of available health data, socio-economic, address and employment data for research into health issues and drug development. The EU's experience -- which started on this route some years ago with a Directive on the re-use of public sector information (the PSI Directive in 2003) -- has found health information to be particularly sensitive with citizens. It opens completely new debates on the value of fully anonymized data and the safety of just anonymization. Many mathematicians do not believe that anonymization works, and can always be easily expanded into full identification.

With the U.S. Federal Data Strategy, these are battles for the future. In the meantime, says Stuntz, "For the policy in general, it is certainly easier to write about generating value from data while maintaining privacy and security than to make it happen, but progress can only be made with policy direction and leadership attention, both of which are demonstrated by this Strategy and the Action Plan."

Related: Big Data Faces Big Challenges With Encryption 

Related: Researchers Link "de-identified" Browsing History to Social Media Accounts 

Related: Obama Administration Places $200 Million Bet On Big Data 

Related: The Intersection of Health Care Intelligence and Security Intelligence 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.