Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate

Federal agencies are increasingly making use of social media technologies, including Facebook, Twitter, and YouTube, to provide information about agency activities and interact with the public. While the purposes for which agencies use these tools vary, they have the potential to improve the government’s ability to disseminate information, interact with the public, and improve services to citizens.

However, the widespread use of social media technologies also introduces risks, and agencies have made mixed progress in establishing appropriate policies and procedures for managing records, protecting the privacy of personal information, and ensuring the security of federal systems and information. Specifically, just over half of the major agencies using social media have established policies and procedures for identifying what content generated by social media is necessary to preserve in order to ensure compliance with the Federal Records Act, and they continue to face challenges in effectively capturing social media content as records. Without clear policies and procedures for properly identifying and managing social media records, potentially important records of government activity may not be appropriately preserved. In addition, most agencies have not updated their privacy policies or assessed the impact their use of social media may have on the protection of personal information from improper collection, disclosure, or use, as called for in recent OMB guidance. Performing PIAs and updating privacy policies can provide individuals with better assurance that all potential privacy risks associated with their personal information have been evaluated and that protections have been identified to mitigate them. Finally, most agencies did not have documented assessments of the security risks that social media can pose to federal information or systems in alignment with FISMA requirements, which could result in the loss of sensitive information or unauthorized access to critical systems supporting the operations of the federal government. Without conducting and documenting a risk assessment, agency officials cannot ensure that appropriate controls and mitigation measures are in place to address potentially heightened threats associated with social media, such as spear phishing and social engineering.

To ensure that federal agencies have adequate guidance to determine the appropriate method for preserving federal records generated by content presented on agency social media sites, we recommend that the Archivist of the United States develop guidance on effectively capturing records from social media sites and that this guidance incorporate best practices.

[GAO-11-605]