💼 Scenario
GovAgency is a federal government agency that processes citizen tax records, social benefits applications, and census data for 100 million citizens. A recent government-wide security audit identified that the agency has no formal data classification scheme, and sensitive citizen data is stored with the same security controls as public information.
Specific findings include: personally identifiable information (PII) including Social Security numbers stored in unencrypted databases, 5,000 employees with access to the full citizen database regardless of their role, no data loss prevention controls on email or removable media, and development teams using production citizen data in test environments. The agency has 18 months to remediate these findings before the next audit.
Additionally, the agency is implementing a cloud migration strategy and must ensure that citizen data protections extend to cloud environments while complying with FedRAMP requirements and the Privacy Act. Budget constraints limit the remediation to $8 million.