CISA Privacy Policies

Thank you for visiting the Cybersecurity and Infrastructure Security Agency (CISA) online and reviewing our website privacy policy. Our privacy policy explains how we handle the personally identifiable information (PII) that you provide to us when you visit us online to browse, obtain information, or conduct a transaction.

PII includes information that is personal in nature and which may be used to identify you. You may provide PII to us when you send us an e-mail message or a request for information, when you fill out a questionnaire or customer satisfaction survey, when you participate in a research study, etc. We do not require you to register or provide PII to visit our websites. We do collect some technical information that does not include PII when you visit to make your visit seamless. The section below explains how we handle and collect information when you visit CISA websites.

The PII you provide on a CISA website will be used only for the purpose for which you provided it. We will protect your information consistent with the principles of the Privacy Act of 1974, the E-Government Act of 2002, and the Federal Records Act.

We welcome feedback if you have any questions regarding our privacy policy or the use of your information. Any additional privacy questions should be directed to the CISA Office of Privacy. CISA’s privacy compliance materials are available at Privacy Impact Assessments (PIA) and Systems of Records Notices (SORN). For additional information about our Privacy Policy, please contact us at:

Email: Privacy@cisa.dhs.gov

Mail:      

CISA Office of Privacy

DHS Mail Stop 0380

245 Murray Lane

Arlington, VA 20598

As a general rule, CISA does not collect PII about you when you visit our websites, unless you choose to provide such information to us. Submitting PII through our website is voluntary. By doing so, you are giving the Department permission to use the information for a specific, stated purpose.

If you choose to provide us with PII through such methods as completing a web form, we will use that information to help us provide you the information or service you have requested. The information we may receive from you varies based on what you do when visiting our site.

We only share the PII you give us with another government agency if your inquiry relates to that agency, or as otherwise required by law. We never create individual profiles or give your PII to any private organizations. CISA never collects information for commercial marketing.

If we store your PII in a record system designed to retrieve information about you by personal identifier (name, personal email address, home mailing address, personal or mobile phone number, etc.), so that we may contact you, we will safeguard the information you provide to us in accordance with the Privacy Act of 1974, as amended (5 U.S.C. §552a). The Act requires all public-facing sites or forms that request PII to prominently and conspicuously display a privacy notice.

The notice must address the following criteria:

1. Legal authorization to collect information about you;
2. Purpose for which the information will be used;
3. Routine uses for disclosure of information outside of the Department of Homeland Security;
4. Whether your providing the information is voluntary or mandatory under law; and
5. Effects if you choose to not provide the requested information.

For the general contact information that may be submitted through CISA websites, we have completed a Privacy Impact Assessment (PIA) and System of Records Notice (SORN) providing details about the privacy protections and redress options available for the contact information we collect from the public. This information may be used to distribute information to you and to perform various administrative tasks. For further information, please reference the privacy compliance documentation below:

• DHS/ALL/PIA-006 Department of Homeland Security General Contact Lists Privacy Impact Assessment (April 25, 2019)
• DHS/ALL-002 Department of Homeland Security (DHS) Mailing and Other Lists System of Records Notice (November 25, 2008) (73 FR 71659)

Email Communications

Many of our programs and websites allow you to send us email messages. We will use the information you provide to respond to your inquiry. We will only send you general information via email. You should be reminded that email may not necessarily be secure against interception. Therefore, we suggest that you do not send sensitive PII (such as your Social Security number) to us via email. If your intended email communication is sensitive, e.g., it includes information such as your bank account, charge card, or Social Security number, you should instead send it by U.S. mail. Another alternative may be submission of data through a secure program website, if available.

Electronic mail messages that meet the definition of records in the Federal Records Act (44 U.S.C. § 3101) are covered under the same disposition schedule as all other Federal records. This means that emails you send us will be preserved and maintained for varying periods of time if those emails meet the definition of Federal records. Electronic messages that are not records are deleted when no longer needed.

Web Measurement Tools and Web Surveys

When you browse through any website, certain information about your visit can be collected. We automatically collect the following types of information about your visit:

• Domain from which you access the internet;
• IP address (an IP address is a number that is automatically assigned to a computer when surfing the internet);
• Operating system and information about the device or browser used when visiting the site;
• Date and time of your visit;
• Content you visited or downloaded; and,
• Website (such as google.com or bing.com) or referral source (email notice or social media site) that connected you to the website.

CISA uses Google Analytics measurement software to collect the information listed above. The data are automatically sent to Google’s system and the system immediately aggregates the data. Neither the Department nor Google ever have access to the specifics of your particular site visits. The staff can only see the aggregate data from all users for a particular time period.

CISA gathers this information to improve our websites and has chosen to not share the aggregate data with Google. We may use the aggregated data to share with our partners and contractors to help improve visitor experiences.

CISA also uses online surveys to collect opinions and feedback from a random sample of visitors. CISA uses Survey Monkey online surveys to obtain feedback and data on visitors’ satisfaction with CISA websites. Surveys do not collect PII and participation in surveys is voluntary. If you decline the survey, you will still have access to identical information and resources on the website as those who take the survey. Answers to the survey help CISA improve its websites to make it easier to use and more responsive to the needs of our visitors. CISA staff conducts analysis and reports on aggregated data from website surveys. The reports are only available to website managers, members of their communications and web teams, and other designated staff who require this information to perform their duties.

CISA retains data from Google analytics and Survey Monkey survey results only as long as required by law or needed to support the mission of CISA websites.

How CISA Uses Cookies

The Office of Management and Budget Memo M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies allows Federal agencies to use session and persistent cookies.

When you visit any website, its server may generate a piece of text known as a “cookie” to place on your computer. Placing cookie text allows websites to “remember” visitors’ preferences, surfing patterns, and behavior while they are connected.

The cookie makes it easier for you to use the dynamic features of webpages. Cookies from CISA webpages only collect information about your browser’s visit to the site; they do not collect any personal information about you.

There are two types of cookies, single session (temporary), and multi-session (persistent). Session cookies last only as long as your web browser is open. Once you close your browser, the cookie disappears. Persistent cookies are stored on your computer for longer periods.

Session Cookies: We use session cookies for technical purposes such as to enable better navigation through our site. These cookies let our server know that you are continuing to visit our site. The OMB Memo 10-22 guidance defines our use of session cookies as “Usage Tier 1-Single Session.” The policy says, “This tier encompasses any use of single session web measurement and customization technologies.”

Persistent Cookies: We use persistent cookies to differentiate between new and returning visitors to our site. Persistent cookies remain on your computer between visits to CISA websites for six months. We also use persistent cookies to block repeated invitations to take our customer satisfaction surveys. The persistent cookies that block repeated survey invitations expire in 90 days. The OMB Memo 10-22 guidance defines our use of persistent cookies as “Usage Tier 2-Multi-session without Personally Identifiable Information (PII).” The policy says, “This tier encompasses any use of multi-session web measurement and customization technologies when no PII is collected.”

Third party software, modules, or add-ins being leveraged on CISA websites may or may not use persistent cookies or similar technology; however, no data collected in this manner is accessible, viewable, or retained by the federal government.

If you do not wish to have session or persistent cookies stored on your machine, you can opt out or disable cookies in your browser. You will still have access to all information and resources at CISA websites. However, turning off cookies may affect the functioning of some websites. Be aware that disabling cookies in your browser will affect cookie usage at all other websites your visit as well.

For additional information about CISA’s use of Google Analytics, please see our privacy impact assessment, DHS/ALL/PIA-033 Google Analytics (June 9, 2011).

Third-Party Websites and Applications

CISA uses social media websites and other kinds of third-party websites. CISA uses social media websites to engage in dialogue, share information and media, and collaborate with the public. CISA may also use these websites to make information and services widely available, while promoting transparency and accountability, as a service for those seeking information about or services from CISA. The Department has published two Privacy Impact Assessments detailing the use of social media:

• DHS/ALL/PIA-031 Use of Social Networking Interactions and Applications Communications/Outreach/Public Dialogue (September 16, 2010)
• DHS/ALL/PIA-036 Use of Unidirectional Social Media Applications (March 8, 2011)

CISA does not used third-party websites to solicit and collect PII from individuals. Any PII collected by the third-party website will not be transmitted or stored by CISA; no PII will be disclosed, sold, or transferred to any other entity outside the Department, unless required for law enforcement purposes or by statute consistent with the Privacy Act.

Site Security

CISA takes the security of all PII very seriously. We take precautions to maintain the security, confidentiality, and integrity of the information we collect on CISA websites. Such measures include access controls designed to limit access to the information to the extent necessary to accomplish our mission. We also employ various security technologies to protect the information stored on our systems. We routinely test our security measures to ensure that they remain operational and effective.

• For site security purposes and to ensure that services remain available to all users, this government computer system employs commercial software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage.
• Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits. Raw data logs are used for no other purposes and are scheduled for regular destruction in accordance with National Archives and Records Administration guidelines.
• Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act.

Visiting Other Websites

Our websites may contain links to international agencies, private organizations, and commercial entities. These websites are not within our control and may not follow the same privacy, security, or accessibility policies. Once you link to another site, you are subject to the policies of that site. All Federal websites, however, are subject to the same Federal policy, security, and accessibility mandates.

Cybersecurity & Infrastructure Security Agency (CISA or Agency) will use this Facebook page for external relations (communications/outreach/public dialogue), to make information and services widely available to the general public, and promote transparency and accountability. CISA External Affairs serves as the executive agent for the CISA Facebook page and controls who at the Agency has access to make changes to the page.

Facebook is a third-party social networking tool and its privacy policy can be found at http://www.facebook.com/policy.php. The DHS privacy policy and Privacy Impact Assessment (PIA) govern the Agency's use of Facebook from a privacy perspective. The DHS privacy policy can be found at Website Privacy Policy | Homeland Security (dhs.gov). The DHS PIA “Use of Social Networking Interactions and Applications,” September 16, 2010, can be found at DHS/ALL/PIA-031 Use of Social Networking Interactions and Applications Communications/Outreach/Public Dialogue | Homeland Security.

Users engaging the CISA Facebook page expect privacy protections while interacting with the Agency. CISA will not use this Facebook page to: 1) actively seek personally identifiable information (PII); 2) search Facebook for or by PII; and 3) ”friend” or “like” public users proactively without a waiver from the DHS Privacy Office (exclusion is made to “friending” or “liking” other U.S. federal, state, local, and tribal government agencies.) To the extent a user posts or sends PII to the Agency's Facebook page, CISA will use the minimum amount necessary to accomplish a purpose authorized by statute, executive order, or regulation.

CISA will use this Facebook page to: 1) establish user names and passwords to form profiles; 2) accept “fan” or “like” requests from public user accounts; and 3) interact on Facebook on official Agency business.

The information posted on this Facebook page is available to the individual posting and to any and all users on the CISA Facebook page who are able to access the public-facing side of the account. To protect your privacy and the privacy of others, do not include full names, phone numbers, email addresses, social security numbers, case numbers or any other sensitive PII of any individuals in your comments or responses.

The above content was last reviewed / modified on July 16, 2021.

CISA Facebook Comment Policy

The Cybersecurity & Infrastructure Security Agency (CISA) Facebook page welcomes your comments. Comments posted to the CISA Facebook page are subject to Facebook's usage, abuse, and comment policies at http://www.facebook.com/policy.php. Your comments are public and available to anyone visiting the CISA Facebook page.

To protect your privacy and the privacy of others, do not include full names, phone numbers, email addresses, social security numbers, case numbers or any other sensitive personally identifiable information (PII) of any individuals in your comments.

CISA does not moderate comments on the CISA Facebook page prior to posting, but reserves the right to remove any materials that pose a security or privacy risk. Additionally, CISA reserves the right to review all comments and remove any that contain profanity, personal attacks of any kind, spam, refer to Federal Civil Service employees or other individuals by name, otherwise contain PII, contain offensive terms that target specific ethnic or racial groups, promote commercial products, are geared toward the success or failure of a partisan political party, group, or candidate, incite hate, or are subject to a claim of infringement or deemed to be an infringement of intellectual property, or that is otherwise objectionable. Any opinions expressed by commentators on the CISA Facebook page, except as specifically noted, are solely those of the individual offering commentary, and do not reflect any CISA policy, endorsement, or action.

Use of a Facebook page is governed by the Facebook Privacy Policy. Only CISA employees acting in their official capacity are authorized representatives to administer CISA Facebook pages. All postings and content are considered property of CISA, and CISA retains the authority to remove or limit its distribution.

Any references to commercial entities, products, services, or other nongovernmental organizations or individuals that remain on the CISA Facebook page are provided solely for the information of individuals visiting the CISA Facebook page. CISA does not endorse, support, or otherwise promote any private or commercial entity or the information, products, or services contained on those websites that may be reached through links on the CISA Facebook page.

Any CISA Facebook page is not to be used for the following:

• Reporting criminal activity. Individuals with information for law enforcement should contact their local law enforcement agency.
• For more questions on this topic or CISA in general, please contact Central@cisa.gov.
• To report anomalous cyber activity and/or cyber incidents 24/7 email report@cisa.gov or (888) 282-0870.
• Requesting CISA services or general questions. Instead, individuals should contact CISA directly via Contact Us on our main website to get help.
• Submitting unsolicited proposals, or other business ideas or inquiries. The CISA Facebook page is not to be used for contracting or commercial business.
• Submitting any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

CISA does not guarantee or warrant that any information posted by individuals on the CISA Facebook page is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. CISA may not be able to verify, does not warrant or guarantee, and assumes no liability for, anything posted on the CISA Facebook page by any other person.

Members of the media are directed to send questions to CISAMedia@cisa.dhs.gov.

The above content was last reviewed / modified on July 16, 2021.

Cybersecurity & Infrastructure Security Agency (CISA or Agency) will use this Instagram page for external relations (communications/outreach/public dialogue), to make photos and images widely available to the general public, and promote transparency and accountability. CISA External Affairs serves as the executive agent for the CISA Instagram page and controls who at the Agency has access to make changes to the page.

Instagram is a third-party social networking photo and image sharing tool and its privacy policy can be found at help.instagram.com/155833707900388. The CISA privacy policy governs CISA’s use of Instagram from a privacy perspective. The CISA privacy policy can be found at CISA Website Privacy Policy | CISA.

Users engaging the CISA Instagram page expect privacy protections while interacting with the agency. CISA will only post photos and images and, to the extent possible, will not allow the posting of public comments associated with these images. CISA will not use this Instagram page to: 1) actively seek PII; 2) search Instagram for or by PII; and 3) “view” public users’ photos and images proactively (exclusion is made to “viewing” other U.S. federal, state, local, and tribal government agencies.) To the extent a user posts or sends PII to CISA’s Instagram page, CISA will use the minimum amount necessary to accomplish a purpose authorized by statute, executive order, or regulation.

CISA will use this Instagram page to: 1) establish user names and passwords to form profiles; 2) accept requests from public user accounts to view CISA photos and images; and 3) post photos and images on Instagram related to official CISA business. CISA may share photos and images posted on the CISA Instagram page if there is a demonstrated need to know, and will only post photos and images after it has been appropriately approved and vetted by CISA External Affairs.

The photos and images posted on the CISA Instagram page is available to the individual posting and to any and all users on the CISA Instagram page who are able to access the public-facing side of the account. To protect your privacy and the privacy of others, do not post photos and images that include your full name, date of birth, social security number, address, phone numbers, email addresses, case numbers, or any other sensitive PII.

This section was last reviewed / modified on July 16, 2021.

Cybersecurity & Infrastructure Security Agency (CISA or Agency) will use this Twitter feed for external relations (communications/outreach/public dialogue), to make information and services widely available to the general public, and promote transparency and accountability. CISA External Affairs serves as the executive agent for the CISA Twitter feed and controls who at the Agency has access to make changes to the page. The CISA Twitter feed is not intended to be a means by which CISA and the general public will communicate about individual matters.

Twitter is a third-party social networking tool and its privacy policy can be found at http://twitter.com/privacy. The DHS privacy policy and Privacy Impact Assessment (PIA) govern the website's use of Twitter from a privacy perspective. The DHS privacy policy can be found at Website Privacy Policy | Homeland Security (dhs.gov). The DHS PIA “Use of Social Networking Interactions and Applications,” September 16, 2010, can be found at DHS/ALL/PIA-031 Use of Social Networking Interactions and Applications Communications/Outreach/Public Dialogue | Homeland Security.

CISA will not use this Twitter feed to: 1) actively seek personally identifiable information (PII); 2) search Twitter for or by PII; and 3) “follow” public users proactively. CISA will use this Twitter feed to: 1) establish user names and passwords to form profiles and 2) interact on Twitter on official Agency business. Twitter users can choose to follow the CISA Twitter feed, which will provide them with the information DHS delivers on the CISA Twitter feed.

Only CISA provides content through this Twitter feed. Any other Twitter user has the ability to re-“tweet” (i.e., republish) or comment on content provided by CISA through the CISA Twitter feed. CISA does not moderate public comments which refer to comments posted in the CISA Twitter feed. Comments made on Twitter are public. To protect your privacy and the privacy of others, do not include full names, phone numbers, email addresses, social security numbers, case numbers or any other sensitive PII of any individuals in your tweets or comments.

This section was last reviewed / modified on July 16, 2021.

Cybersecurity & Infrastructure Security Agency (CISA or Agency) will use this YouTube feed for external relations (communications/outreach/public dialogue), to make information and services widely available to the general public, and promote transparency and accountability. CISA External Affairs serves as the executive agent for the CISA YouTube feed and controls who at the Agency has access to make changes to the page. The CISA YouTube feed is not intended to be a means by which CISA and the general public will communicate about individual matters.

YouTube is a third-party social networking tool and its privacy policy can be found at http://YouTube.com/privacy. The DHS privacy policy and Privacy Impact Assessment (PIA) govern the website's use of YouTube from a privacy perspective. The DHS privacy policy can be found at Website Privacy Policy | Homeland Security (dhs.gov). The DHS PIA “Use of Social Networking Interactions and Applications,” September 16, 2010, can be found at DHS/ALL/PIA-031 Use of Social Networking Interactions and Applications Communications/Outreach/Public Dialogue | Homeland Security.

CISA will not use this YouTube feed to: 1) actively seek personally identifiable information (PII); 2) search YouTube for or by PII; and 3) “follow” public users proactively. CISA will use this YouTube feed to: 1) establish user names and passwords to form profiles and 2) interact on YouTube on official Agency business. YouTube users can choose to view videos on the CISA YouTube page, which will provide them with the information DHS delivers on CISA YouTube.

Only CISA provides content through CISA YouTube. The information posted on this YouTube page is available to the individual posting and to any and all users on the CISA YouTube page.

This section was last reviewed / modified on July 16, 2021.

Privacy Policy For the Electronic Field Operations Guide (eFOG) Mobile Applications

Overview

The Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) Emergency Communications Division (ECD) Interoperable Communications Technical Assistance Program (ICTAP) developed and deployed the electronic Field Operations Guide (eFOG) mobile application. DHS is employing software that converts technical reference manuals in Microsoft Word format into mobile applications in an effort to make them more widely available to emergency communications partners and stakeholders across the Nation.

This policy informs users of our policies regarding the collection, use, and disclosure of personal information when using the eFOG mobile application.

Information Collected

DHS does not collect personal information from eFOG mobile application users. All potential user tracking and monitoring options will be disabled in the eFOG mobile application to prevent the unnecessary collection of personal information. User generated information such as bookmarked sections, personalized notes, and preferences are only retained locally on the user’s device and are not accessible by DHS or any third party.

Uses of Information

DHS does not use personal information from eFOG mobile application users. User generated information such as bookmarked sections, personalized notes, and preferences are only retained locally on the user’s device and are not accessible by DHS or any third party.

Information Sharing

DHS does not collect personal information from eFOG mobile application users, and therefore, does not share eFOG user information with any third party.

Application Security

The eFOG mobile application operates locally on a user’s mobile device and the user’s session can be accessed only via that user’s device; therefore, eFOG user information is not transmitted over the internet. DHS recommends that users properly secure access to mobile devices using means supplied by the device manufacturer and operating system.

How to Access or Correct your Information

DHS does not collect personal information from eFOG mobile application users. User generated information such as bookmarked sections, personalized notes, and preferences are only retained locally on the user’s device. eFOG users may submit questions or concerns to the eFOG document owner and to the ICTAP Public Safety Tools team via the Help section in the eFOG mobile application.

Analytics Tools

The eFOG mobile application does not employ the use of any analytic tools.

Privacy Policy Contact Information

If you have questions about this Privacy Policy, you may contact the CISA Office of the Chief Privacy Officer using the below contact information:

Email: Privacy@cisa.dhs.gov

Mail:CISA Office of Privacy

DHS Mail Stop 0380

245 Murray Lane

Arlington, VA 20598