Congressional report recommends ‘FedRAMP’ for commercial data brokers
Congressional report recommends ‘FedRAMP’ for commercial data brokers
Publish Date: 2026-02-18 17:16:00
Source Domain: federalnewsnetwork.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Amid persistent concerns about how agencies make use of data brokers, a new congressionally chartered report recommends setting up an authorization framework to regulate the federal government’s use of commercially available information.
Rep. Lori Trahan (D-Mass.) this week released a new report on modernizing the Privacy Act of 1974. The 68-page document features a range of proposals to update the 52-year-old law.
Trahan’s report has garnered attention for addressing Privacy Act vulnerabilities allegedly exploited in high-profile instances by Department of Government Efficiency (DOGE) personnel over the last year.
But the report’s recommendations go beyond DOGE’s activities and take on several longstanding issues, including how federal agencies use data about Americans that can be purchased through private brokers.]]>
“The Privacy Act’s authors could not have foreseen the proliferation of commercially available information (CAI) in the decades following the Act’s passage – especially CAI containing personally identifiable information (PII) sold by data brokers – nor federal agencies’ voracious appetite for such data,” the report states.
It recommends setting up a process to authorize federal use of commercially available information modeled on the Federal Risk and Authorization Management Program. Known as FedRAMP, the program assesses the security of cloud offerings used by federal agencies.
“By modeling this process on or incorporating it into the Federal Risk and Authorization Management Program … Congress could standardize evaluations of commercially available datasets and mitigate privacy risk,” the report states. “Moreover, Congress could stipulate that such authorizations be made publicly available via a centralized portal, facilitating its own oversight while simultaneously improving accountability.”
‘Messy’ state of affairs
The Privacy Act’s protections “generally” cover CAI that contains personally identifiable information, the report acknowledges. But CAI “presents emergent privacy risks that demand additional quality and transparency controls which Congress is uniquely positioned to mandate.”
Trahan’s report points to how civilian agencies rely on data brokers to verify identity and prevent fraud, rather than using data from other federal agencies. The Privacy Act “engenders a dynamic in which civilian agencies under pressure from Congress to meet statutory deadlines routinely look to commercial data brokers rather than other agencies or individuals for requisite data,” Trahan’s report states.
Meanwhile, law enforcement and intelligence agencies rely on “copious exceptions” in law to buy and share commercially available information.
“This state of affairs is messy, inefficient, and indefensible,” Trahan’s report states.]]>
Civil liberties groups have also argued that agencies use data brokers to circumvent the Fourth Amendment and evade Privacy Protections. In response to a 2024 request for information from the Office of Management and Budget, privacy advocates pointed to the types of information the data broker industry collects and sells on individuals.
“This data includes, but is not limited to, detailed location histories; demographic information, including membership in legally protected groups, interests, affinities, and associations; and information about finances and wealth, property, healthcare, and internet search and browsing history,” a group of civil liberties nonprofits told OMB.
In a separate response, the Federation of American Scientists argued agencies like Immigration and Customs Enforcement have used broker-purchased data to track individuals without warrants.
Like Trahan’s proposal, the FAS has recommended using FedRAMP to authorize third-party data sources. “An authorization framework for CAI containing PII would ensure a standardized approach for data collection, management, and contracting, mitigating risks, and ensuring ethical data use,” FAS wrote.
The Democratic congresswoman’s report said a standardized authorization framework for CAI should be one that “meaningfully mitigates privacy risk for individuals, improves quality control, and eliminates redundant procurements.”
Much like how FedRAMP uses third-party assessors to evaluate whether cloud services meet security controls, a “FedRAMP-for-CAI” solution would “identify appropriate CAI products and services, and evaluate those products and services against a common baseline of privacy controls,” Trahan’s report states.
“Agency authorizing officials use this information to make informed, risk-based, and efficient decisions concerning the use of those CAI products and services,” it adds.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
