Pt. 310, App. A
Appendix A to Part 310
—Safeguarding Personally Identifiable Information (PII)
(See § 310.13 of Subpart B)
1. The IT environment subjects personal information to special hazards as to unauthorized compromise, alteration, dissemination, and use. Therefore, special considerations must be given to safeguarding personal information in IT systems consistent with the requirements of DoD Directive 8500.1 and DoD Instruction 8500.2.
2. Personally identifiable information must also be protected while it is being processed or accessed in computer environments outside the data processing installation (such as, remote job entry stations, terminal stations, minicomputers, microprocessors, and similar activities).
3. IT facilities authorized to process classified material have adequate procedures and security for the purposes of this Regulation. However, all unclassified information subject to this Regulation must be processed following the procedures used to process and access information designated “For Official Use Only.” (See DoD 5200.1-R.)
B. Risk Management and Safeguarding Standards
1. Establish administrative, technical, and physical safeguards that are adequate to protect the information against unauthorized disclosure, access, or misuse. (See OMB Circular A-130 and DoD Instruction 8500.2.)
2. Tailor safeguards to the type of system, the nature of the information involved, and the specific threat to be countered.
C. Minimum Administrative Safeguards
The minimum safeguarding standards as set forth in § 310.13(b)
apply to all personal data within any IT system. In addition:
1. Consider the following when establishing IT safeguards:
a. The sensitivity of the data being processed, stored and accessed.
b. The installation environment.
c. The risk of exposure.
d. The cost of the safeguard under consideration.
2. Label or designate media products containing personal information that do not contain classified material in such a manner as to alert those using or handling the information of the need for special protection. Designating products “For Official Use Only” in accordance with the requirements of DoD 5200.1-R satisfies this requirement.
3. Mark and protect all computer products containing classified data in accordance with the requirements of DoD 5200.1-R and DoD Directive 8500.1.
4. Mark and protect all computer products containing “For Official Use Only” material in accordance with the requirements of DoD 5200.1-R.
5. Ensure that safeguards for protected information stored at secondary sites are appropriate.
6. If there is a computer failure, restore all protected information being processed at the time of the failure using proper recovery procedures to ensure data integrity.
7. Train personnel involved in processing information subject to this Regulation in proper safeguarding procedures.
D. Physical Safeguards
1. For all unclassified facilities, areas, and devices that process information subject to this Regulation, establish physical safeguards that protect the information against reasonably identifiable threats that could result in unauthorized access or alteration.
2. Develop access procedures for unclassified computer rooms, tape libraries, micrographic facilities, decollating shops, product distribution areas, or other direct support areas that process or contain personal information subject to this Regulation that control adequately access to these areas.
3. Safeguard on-line devices directly coupled to IT systems that contain or process information from systems of records to prevent unauthorized disclosure, use, or alteration.
4. Dispose of paper records following appropriate record destruction procedures. (See § 310.13(c)
and DoD 5200.1-R.)
E. Technical Safeguards
1. Components are to ensure that all PII not explicitly cleared for public release is protected according to Confidentially Level Sensitive, as established in DoD Instruction 8500.2. In addition, all DoD information and data owners shall conduct risk assessments of compilations of PII and identify those needing more stringent protection for remote access or mobile computing.
2. Encrypt unclassified personal information in accordance with current Information Assurance (IA) policies and procedures, as issued.
3. Remove personal data stored on magnetic storage media by methods that preclude reconstruction of the data.
4. Ensure that personal information is not inadvertently disclosed as residue when transferring magnetic media between activities.
5. Only DoD authorized devices shall be used for remote access. Any remote access, whether for user or privileged functions, must conform to IA controls specified in DoD Instruction 8500.2.
6. Remote access for processing PII should comply with the latest IA policies and procedures.
7. Minimize access to data fields necessary to accomplish an employee's task-normally, access shall be granted only to those data elements (fields) required for the employee to perform his or her job rather than granting access to the entire database.
8. Do not totally rely on proprietary software products to protect personnel data during processing or storage.
F. Special Procedures
1. Managers shall:
a. Prepare and submit for publication all system notices and amendments and alterations thereto. (See § 310.30(f)
b. Identify required controls and individuals authorized access to PII and maintain updates to the access authorizations.
c. When required, ensure Privacy Impact Assessments are prepared consistent with the requirements of the DoD Deputy Chief Information Officer Memorandum, “DoD Privacy Impact Assessment Guidance,” October 28, 2005.
d. Train all personnel whose official duties require access to the system of records in the proper safeguarding and use of the information and ensure that they receive Privacy Act training.
G. Record Disposal
1. Dispose of records subject to this Regulation so as to prevent compromise. (See § 310.13(c)
.) Magnetic tapes or other magnetic medium may be cleared by degaussing, overwriting, or erasing. (See DoD Memorandum, “Disposition of Unclassified DoD Computer Hard Drives,” June 4, 2001.)
2. Do not use respliced waste computer products containing personal data.