Do not put PII at risk!!

  • Published
  • By Col. Mike Feeley
  • Commander, 166th Airlift Wing
PII is personally identifiable information, which includes, but is not limited to, Social Security numbers, driver's license numbers, and financial information.

Breaches occur when this data is inadvertently released. This creates a compromise of privacy information in violation of federal law, and puts our own personnel, and our ability to accomplish our mission, at risk.

Some key points I need to convey to all Air National Guard members regarding our handling of PII data:

1. NEVER, NEVER send PII to a personal (non-military) email address.

2. Elimination of PII compromises is an Air Force priority and the responsibility of every user.

3. PII should be closely guarded.

4. Only send PII for official purposes to co-workers with a need to know.

5. Limit sending PII to approved distribution lists, even if all list members are military (.mil) addresses. Instead, send to the individual military accounts of one or more individuals.

6. If you are not certain you can send encrypted email, don't. Contact your unit Commander's Support Staff for assistance.

7. If encrypting e-mail is not feasible, but if electronic transmission of sensitive PII is operationally required, consider the AF-approved Safe Access File Exchange (S.A.F.E.) tool: https://safe.amrdec.army.mil/safe/.
 
Because we are an ANG organization with most of our members being part-time, we have gotten into some habits that we need to correct immediately.

One example: We must end the habit of sending email containing PII to a member's personal (non-military) email address despite it being legitimate work. Alpha or recall rosters, copies of orders, and OPR's or EPR's MUST NOT BE SENT TO PERSONAL EMAILS.

To help prevent PII breaches, the 24th Air Force has developed an email tool called the Digital Signature Enforcement Tool (DSET). DSET prompts users to provide a digital signature and scans the email to help identify if common PII is present. If PII is present DSET will request the user to confirm and encrypt the email before sending.

"When users release PII that is not protected, that puts information at risk for being intercepted by adversaries. These adversaries can then use that information to target users to gain access [to] the network." said Alonzo Pugh, cyber business system analyst for 24th AF. "The tool provides awareness for users of risks before the e-mail leaves the workstation, giving users the chance to correct the identified risk."

"DSET capability should encourage users to be more involved in the process of preventing PII breaches. The user is afforded the ability to take action in checking their e-mails to make sure they are not inadvertently releasing PII, and given the opportunity to protect it. DSET makes users more aware that they need to double check their e-mails and ensure that they are in accordance with policy; the responsibility for preventing breaches ultimately falls on them."

You can access training for DSET using the following link: https://afpki.lackland.af.mil/assets/files/OE-15-40-064_QRG-DSET_v0001.pdf.

The eight-minute DSET tutorial is located here: https://afpki.lackland.af.mil/tutorials/dset/.

We each need to pause to protect PII.