Essential Concepts (Introduction to 20 FAM)
(CT:DATA-12; 02-06-2025)
(Office of Origin: M/SS/CFA)
20 FAM 101.2-1 Data and AI Management (Introduction to 20 FAM)
(CT:DATA-6; 10-01-2024)
Reserved.
20 FAM 101.2-1(A) Data (Introduction to 20 FAM)
(CT:DATA-6; 10-01-2024)
Reserved.
20 FAM 101.2-1(B) Data and Information (Introduction to 20 FAM)
(CT:DATA-6; 10-01-2024)
Reserved.
20 FAM 101.2-1(C) Data as an Organizational Asset (Introduction to 20 FAM)
(CT:DATA-6; 10-01-2024)
Reserved.
20 FAM 101.2-1(D) AI (Introduction to 20 FAM)
(CT:DATA-6; 10-01-2024)
Reserved.
20 FAM 101.2-1(E) Data Management Principles (Introduction to 20 FAM)
(CT:DATA-11; 11-28-2024)20 FAM 101.2-1(F) Data Governance Framework (Introduction to 20 FAM)
(CT:DATA-6; 10-01-2024)
Reserved.
20 FAM 101.2-2 Data management lifecycle overview
(CT:DATA-11; 11-28-2024)
a. The enterprise data management lifecycle has five phases: Data Onboarding, Data Preparation and Storage, Data Use, Data Sharing, and Data Retention (see Figure 2). There are also four policy areas that cross-cut the data management lifecycle and require their own expertise. These are Data Privacy, Data Security, Data Stewardship, and Data Access.
b. The Department is currently developing enhanced data security guidance in line with Executive Order 14208: Improving the Nation’s Cybersecurity, OMB M-22-09 on the Federal Zero Trust Architecture, and the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model.
20 FAM 101.2-2(A) Data Onboarding
(CT:DATA-11; 11-28-2024)
When practicing Data Onboarding within their organizational unit, Data Stewards should:
(1) Provide guidance on what type of data may be collected and onboarded.
(2) Provide guidance on how to extract and onboard data from each source, e.g.: mail, email, cable, database, website, etc.
(3) Provide guidance on how data is controlled and can be used in their or other offices’ operations.
(4) Ensure Data Users who generate data understand their responsibilities.
(5) Ensure data is onboarded only when there is a valid business case for it.
20 FAM 101.2-2(B) Data Prep and Storage
(CT:DATA-11; 11-28-2024)
When practicing Data Preparation and Storage within their organizational unit, Data Stewards should:
(1) Ensure data intake aligns with the Department’s Master Reference Data (MRD) standards when available.
(2) In collaboration with the Data Users who generate data, develop metadata, including:
(a) Statement of purpose;
(b) Contact information of individuals responsible for data preparation;
(c) Label that designates it as authoritative;
(d) Statement on whether a Data Sharing Agreement (DSA) and/or a Computer Matching Agreement (CMA) are needed for sharing the data set or an aspect of it;
(e) Encryption keys, if applicable; and
(f) Description of contractual limitations.
(3) Keep data in a maximally raw format.
(4) Identify and tag in the datasets as:
(a) Classified. Any classified data shall be marked according to classification guidelines in 5 FAM 480 and must not be processed on OpenNet;
(b) Sensitive But Unclassified (SBU), including all instances of Personally Identifiable Information (PII) and any information that would be exempt from public disclosure under the Freedom of Information Act (FOIA). See 12 FAM 540 for guidance on the type of information to which SBU is typically applied.
(5) Store data and code in a transparent, trusted, and centralized manner to facilitate visibility and access.
(a) Define and publish storage location in the bureau’s central repository; and
(b) Maintain data or code with its metadata and publish them together.
(i) Centralize and publish existing data dictionaries.
(ii) Review/update data dictionaries every three years at minimum or whenever 5 percent or more of the data is updated/changed.
(6) Consult the Department’s Data Quality Program, when available, to verify data reliability.
20 FAM 101.2-2(C) Data Use
(CT:DATA-11; 11-28-2024)
When practicing Data Use within their organizational unit, Data Stewards should:
(1) Ensure Data Users use data in accordance with the statement of purpose and the signed Memorandum of Understanding (MOU) or DSA, and that any other use is justified, documented, and approved by the Data Users who have generated the data in question.
(2) Ensure Data Users understand which data is authoritative and use authoritative data, where it exists.
(3) Ensure Data Users understand whom to contact on what can and cannot be done with data.
(4) Regularly audit data use to ensure compliance with its statement of purpose.
(5) Log data use to ensure data use is auditable.
(6) Add the appropriate Data Steward(s) from other bureaus/offices/posts to the clearance line for products that use data that comes from those bureaus/posts/offices.
20 FAM 101.2-2(D) Data Sharing
(CT:DATA-11; 11-28-2024)
When practicing Data Sharing within their organizational unit, Data Stewards should:
(1) Only share datasets from authoritative data sources, where they exist.
(2) Notify known users of significant changes to data.
(3) Ensure data sets, or a specific portion of it, are shared using standardized Data Sharing Agreements (DSAs) and follow enterprise DSA documentation principles, if applicable.
(4) Ensure DSAs incorporate language on the sharing party’s right to audit data use to ensure data is used as intended.
(5) Share SBU data within the Department only on a “need to know” basis.
(6) If possible and only as appropriate, create a redacted version that removes classified data so that it can be shared broadly.
(7) See 20 FAM 901.2-2 for additional data sharing guidance.
20 FAM 101.2-2(E) Data Access
(CT:DATA-12; 02-06-2025)
When practicing Data Access within their organizational unit, Data Stewards should:
(1) In accordance with 1 FAM 044, provide read-only access to data and accompanying metadata to the Chief Data Officer via the Enterprise Data Inventory and/or Catalog.
(2) Clearly state who has an unrestricted access to data. Clearly define roles for users and attributes by which access would be granted to specific data sets maintained by a bureau/post/office.
(3) See 20 FAM 901.2-1 for additional data access guidance.
20 FAM 101.2-2(F) Data Retention
(CT:DATA-11; 11-28-2024)
When practicing Data Retention within their organizational unit, Data Stewards, in consultation with their organizational unit’s records management policies and 5 FAM 430, should:
(1) Ensure bureau/post/office personnel understands the Department’s definition of the terms data and record and guidance on when data becomes a record to ensure retention requirements are met.
(2) Follow enterprise guidance on how to prepare data for preservation and how to store the data to ensure standardization and interoperability over the lifecycle of the information.
(a) Preserve data with its metadata.
(b) Ensure metadata prepared for records includes:
(i) Information on the origin and source;
(ii) Contact information of the office that originated the record;
(iii) Information on the data used to create the records;
(iv) Date of archiving;
(v) Statement of purpose that will include reason for retention; and
(vi) Records retention schedule citation.
(c) Identify and tag all instances of PII and PHI, and other access restrictions.
(d) Complete a Privacy Impact Assessment (PIA) when developing or procuring IT systems or projects that collect, maintain or disseminate PII from or about members of the public, or initiating a new electronic collection of PII for 10 or more persons.
(e) Ensure it is approved by the Senior Agency Official for Privacy and published publicly, as appropriate – see 5 FAM 460.
(f) Define and publish location of archived data and records.
(g) Ensure a System of Records Notice (SORN) is created, approved by the Senior Agency Official for Privacy, and published publicly when appropriate – see 5 FAM 460.
(h) Publish information on archived data and records in a bureau centralized repository, even if access to any of the data or records must remain restricted.
In case archives cannot be accessed, provide the reason.
(i) Preserve records together with relevant data, if applicable.
(j) If data comes from another part of the Department, the originating party and the preservation party may consider signing an MOU or DSA.
(3) Centralize and publish bureau retention schedules.
(4) Seek methods to automate archiving to make the process efficient.
(5) Apply the Data Sharing and Data Access policies when making their archives available to others.
20 FAM 101.2-2(G) Data Privacy
(CT:DATA-11; 11-28-2024)
When ensuring Data Privacy within their organizational unit, Data Stewards should:
(1) Ensure that all forms used for PII intake are approved by the OMB and display the Privacy Act Statement (where appropriate) and a control number.
(2) Ensure that PII is prepared and stored in accordance with the Department’s policy on Data Preparation and Storage.
· Including that all instances of PII in the datasets are identified and tagged.
(3) Ensure that PII is used in accordance with the Department’s policy on Data Use.
(4) Ensure that PII is shared in accordance with the Department’s policy on Data Sharing.
· Data Stewards must share PII only on a “need to know” basis, and if possible and only as appropriate. If classified, they should endeavor to create a redacted version that removes classified data so that it can be shared.
(5) Ensure that PII is accessed in accordance with the Department’s policy on Data Access.
(6) Ensure bureaus/posts/offices follow the Department’s guidance on risk mitigation when aggregating data.
(7) Ensure that data is protected in accordance with the Department’s Data Privacy policy, 5 FAM 460.
(8) If the unit is developing or procuring IT systems or projects that collect, maintain or disseminate PII about members of the public, or initiating a new electronic collection of information of PII for 10 or more persons, refer to 5 FAM 470 and work with the Privacy Office in A Bureau to obtain a PIA.
20 FAM 101.2-2(H) Data Security
(CT:DATA-11; 11-28-2024)
When practicing Data Security within their organizational unit, Data Stewards, in consultation with their organizational unit’s Information Systems Security Officer (ISSO), should:
· Follow the rules set out in 12 FAM 510: Information Security.