Department of Navy Chief Information Officer (2023)

General Privacy FAQs

Published, September 11, 2018

The following is a list of general frequently asked questions of the Office of the Chief Information Officer (OCIO) Privacy Team.

What is PII?

PII stands for personally identifiable information. The definition of PII, used throughout the federal government including the Department of the Navy (DON) comes from the Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource is: "Personally identifiable information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can be used to distinguish or trace and individual's identity, the term PII is necessarily broad." Your name and other elements such as date of birth (DOB), Social Security number (SSN), Passport Number, fingerprints, etc. fall under the definition of PII.

What is a PII Breach?

The Office of Management and Budget (OMB) defines a beach in their memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, as "The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose."

What PII can be Shared Without Causing a Breach?

(Video) Chief Information Officer: What is the Role? (CxOTalk)

DON uses the Office of Management and Budget (OMB) Circular A-130 definition of PII, which is the standard though out the federal government. In many cases, when asking if an identifying element is PII what is really being asked is "is the release of a PII element a PII breach?" More broadly asked: What PII is it okay to share without causing a breach? In the DON, there are two blanket cases where disclosure of PII is not a reportable breach.

First, if it is your PII, or that of your dependents, you are of course free to share with anyone you would like, without taking any precautions to prevent further dissemination of your PII. Though this is fraught with risk and most definitely neither recommended nor encouraged by the DON privacy office, it is, in fact, strongly discouraged. Properly protecting one's own PII and of those who rely upon you to protect their PII is critical to thwarting identity theft.

Second, there are PII elements which are generally releasable to members of the public under the Freedom of Information Act, aka FOIA, or authorized by DoD policy. These PII elements are typically referred to as "rolodex PII, business PII, office PII or internal government operations related PII." They include full name, DoD ID, DoD benefits number, pay grade or rank, office phone number, office address, and office email address. Considering the above, a digital signature, which includes your name and DoD ID, though PII by definition, when released does not constitute a breach, nor would the typical email signature block. The information contained in the Global Access List (GAL) is another example of where rolodex PII is accessible to anyone with a common access card (CAC) and is not considered a breach.

The release of rolodex PII can of course become a breach; it depends upon the circumstances and context of the release.

If in doubt as to whether or not the release of any PII elements alone or in combination is a breach, report it.

How Do I Report a Breach?

(Video) Interview with Terry Halvorsen, CIO, Department of Navy

All members of the DON have a responsibility to report a breach, actual or suspected, when discovered. If you discover a breach, notify your supervisor or command privacy officer.

Within one hour of discovery, commands should report breaches to the Department of the Navy (DON) Office of the Chief Information Officer (OCIO) using Secretary of the Navy (SECNAV) 5211/1 breach reporting form. It is important to report the breach within the hour time period, even when all the details are not yet known so that actions to mitigate the breach can be initiated. Supplemental reports using SECNAV 5211/1 can be submitted as appropriate.

See the PII Breach Reporting Resources page for access to the breach reporting forms, a convenient breach reporting desktop guide and other information on breaches within the DON.

What Happens After a Breach is Reported?

Within 24 hours of the OCIO privacy team receiving a breach report, the following action will occur:

  • OCIO assign a breach report tracking number.
  • If necessary, OCIO will contact the reporting command for additional information. OCIO will also determine the command that is accountable for breach mitigation actions (normally the reporting command is t accountable for the breach).
  • OCIO will conduct a risk analysis to determine if written notification to affected individuals is required.
  • OCIO will inform the accountable command if written notification to affected individuals is required.
  • Should notification be directed, accountable commands have 10 days to notify impacted individuals. Note: delay in notification may occur if/when law enforcement or computer forensics require additional time for investigation and or testing.
  • Within 30 days of being notified of the risk analysis and notification determination, accountable commands will submit SECNAV 5211/2 after action report to close the breach.

In rare instances, the magnitude of the breach either because of the high number of impacted individuals or the severity of the breach, will require the Senior Component Official for Privacy (SCOP) for the Navy, the Under Secretary/CIO, to convene the DON breach response team (BRT). The BRT will manage the response for the DON including notifying DoD. Typically, the BRT will coordinate with the reporting command via the OCIO privacy staff.

(Video) DoD Chief Information Officer Gives Insight at AFCEA TechNet Cyber 2021

See the PII Breach Reporting Resources page for access to the breach reporting form and other information on breaches within the DON.

What is the Difference Between a Breach and a Spillage?

Breach is the term used to identify the compromise or suspected compromise of PII. Spillage is the term used when discussing a compromise of classified information.

Is My Name or the DoD ID Number PII?

Yes, your name and your DoD Identification (ID) Number are PII. They fit the OMB definition in that they can be used to distinguish or trace your identity.

What many people want to know when this question is asked is; is the release of my DOD ID or name such as in my digital signature or email signature block a breach? In general no, The DoD ID number, by itself or with an associated name, shall be considered internal government operations-related PII, exposure of the DoD ID number shall not be considered a breach when exposed as a part of a DoD business function.

(Video) SIGNAL Interview with DON CIO Aaron Weis

See the DoD information paper: "The DoD Identification (ID) Number as PII".


DON policy prohibits the use of a FAX machine to send the SSN or other PII except under the following circumstances:

  1. When another more secure means of transmitting PII is not practical.
  2. When a process outside of DON control requires FAXing to activities such as the Defense Finance and Accounting Service (DFAS), TRICARE, Defense Manpower Data Center (DMDC), etc.
  3. In cases where operational necessity requires expeditious handling.
  4. When FAXing PII related to internal government operations related PII only, i.e. office phone number, rank, job title, etc.

When sending a FAX, use a Privacy Act Data Cover Sheet (DD FORM 2923) and verify receipt by the correct addressee.

See DON CIO Washington DC 081745Z NOV 12.

Do files containing PII on a shared network drive need to be labeled FOUO/PII?

(Video) Navy Official Speaks About Digital Transformation

According to DoDM 5200.01-V4, Enclosure 3, Paragraph 2.C.(3)(g) (page 14):"When FOUO information is contained in media or material (including hardwareand equipment) not commonly thought of as documents (e.g., computer filesand other electronic media, audiovisual media, chart, maps, films, soundrecordings), the requirement remains to identify, as clearly as possible,the information that requires protection. The main concern is that holdersand users of the material are clearly notified of the presence of FOUOinformation. The markings required by this enclosure shall be appliedeither on the item or the documentation that accompanies it."

The file document name itself does not necessarily need to contain the PII/FOUO marking as long as the person accessing the file knows that it contains PII/FOUO and the file has restricted permissions accessible only to those individuals with a need to know.

TAGS: Privacy


Who is the Navy chief of information? ›

Chief Information Officer, U.S. Department of the Navy

Aaron Weis was named Department of the Navy Chief Information Officer effective September 29, 2019. As DON CIO, he is the Principal Staff Assistant to the Secretary of the Navy for information management, digital, data and cyber strategy.

What is Navy Chinfo? ›

§ 705.2 Chief of Information and the Office of Information (CHINFO). (a) The Chief of Information is the direct representative of the Secretary of the Navy and of the Chief of Naval Operations in all public affairs and internal relations matters.

What is Dadms Navy? ›

DADMS is the DON's authoritative data source for system, application, database, network, and server information. DADMS supports IT baseline and cost control efforts assigned to the Office of the Chief of Naval Operations by the Vice Chief of Naval Operations.

Who does DoD CIO report to? ›

The DoD CIO exercises authority, direction and control over the director of DISA and organizationally reports to the secretary of defense, the principal advisor to the president of the United States on all defense matters and issues.

How much does a chief in the Navy make? ›

How much does a Chief of Staff make at US Navy in the United States? Average US Navy Chief of Staff yearly pay in the United States is approximately $151,754, which is 56% above the national average.


1. Organizational structure of the Department of Defense
2. Defense Department CIO on zero trust, IT modernization, data and cybersecurity as his "top priority"
(Government Matters)
3. Department of the Navy's Terry Halvorsen on preventing cyber-attacks
4. Cybersecurity Awareness Month: The Future of Connected Devices in the Department of the Navy
(Defense Flash News)
5. Ask the CIO: Naval Facilities Engineering Command
(Federal News Network Sponsored Content)
6. Interview with Susan H. Swart, CIO, Department of State
Top Articles
Latest Posts
Article information

Author: Sen. Emmett Berge

Last Updated: 02/25/2023

Views: 5700

Rating: 5 / 5 (60 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Sen. Emmett Berge

Birthday: 1993-06-17

Address: 787 Elvis Divide, Port Brice, OH 24507-6802

Phone: +9779049645255

Job: Senior Healthcare Specialist

Hobby: Cycling, Model building, Kitesurfing, Origami, Lapidary, Dance, Basketball

Introduction: My name is Sen. Emmett Berge, I am a funny, vast, charming, courageous, enthusiastic, jolly, famous person who loves writing and wants to share my knowledge and understanding with you.