"Without establishing guidance and assessing risks specific to social media, agencies cannot be assured that they are adequately meeting their responsibilities to manage and preserve federal records, protect the privacy of personal information, and secure federal systems and information against threats," Gregory Wilshusen, GAO director of information security issues, writes in the 90-page report issued Thursday.
According to the audit:
- 12 of the 23 agencies have developed and issued guidance that outlines processes and policies for identifying and managing records generated by their use of social media and record-keeping roles and responsibilities.
- 12 agencies have updated their privacy policies to describe whether they use personal information made available through social media, and eight conducted and documented privacy impact assessments to identify potential privacy risks that may exist in using social media given the likelihood that personal information will be made available to the agency by the public.
- 7 agencies identified and documented security risks - such as the potential for an attacker to use social media to collect information and launch attacks against federal information systems - and mitigating controls associated with their use of social media.
President Obama has encouraged use of social media as a way agencies can develop a dialogue with their constituencies. Still, Wilshusen says, social media pose risks to the adequate protection of personal and government information.
GAO says agencies, in some instances, reported having policies in development to address these issues. In other cases, GAO says, agencies said that there was no need to have policies or procedures that specifically address the use of social media, because these are addressed in existing policies, a nation the congressional investigators voiced disagreement.
Federal agencies have been adapting commercially provided social media technologies to support their missions. Specifically, GAO identified several distinct ways that 23 of 24 major agencies use Facebook, Twitter and YouTube, including reposting information available on official agency Web sites, posting information not otherwise available on agency Web sites, soliciting comments from the public, responding to comments on posted content and providing links to non-government sites.
GAO says, for instance, agencies use Facebook to post pictures or descriptions of the activities of agency officials and to interact with the public, Twitter to provide information in an abbreviated format and to direct the public back to official agency sites and YouTube to provide alternate means of accessing videos available on official agency sites, share videos of agency officials discussing topics of interest or to solicit feedback from the public.