Secure Measures

 

Connecting state and local government leaders

<b>SPECIAL REPORT: The Next Steps for Security |</b> Agencies work to catch up to OMB mandates for protecting mobile data.

Last year's rash of data theft scandals forced federal officials to acknowledge a tawdry reality: Despite years of solemn pledges to safeguard personal data, federal technology security, especially for mobile computers and media, remains troubled.

OMB's Four Ways to Improve Data Security

In June, just weeks after the Veterans Affairs Department revealed an employee lost a notebook PC containing the personal information of 26 million veterans, the Office of Management and Budget directed agencies to meet four requirements.


  1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined, in writing, to be nonsensitive by your deputy secretary or an individual he or she may designate


  2. Allow remote access only with two-factor authentication, where one of the factors is provided by a device separate from the computer gaining access


  3. Log all computer-readable data extracts from databases holding sensitive information and verify whether each extract, including sensitive data, either has been erased within 90 days or its use is still required.


  4. Use a 'time-out' function for remote access and mobile devices requiring user re-authentication after 30 minutes of inactivity. Most agencies have implemented this process.

IGs Depict Laggard Security Upgrade Progress

Karen Evans, Office of Management and Budget administrator for e-government and IT, last year commissioned a study of how well agencies are protecting sensitive personal information.


The results confirm the impressions of IT leaders contacted for this report, in that they reflect halting and uneven security upgrades.


John P. Higgins, Education Department inspector general, and his staff compiled results of the study from 49 unclassified inspector general office reports and sent them to Evans in October.


'For the 49 responses consolidated here, only 11 OIGs report that their agency has confirmed identification of [personal identifying information] protection needs, including verification of information categorization and existing risk assessments,' the study said.


The analysis, titled Federal Agencies' Efforts to Protect Sensitive Information, is posted at the Web site of the President's Council on Integrity and Efficiency (GCN.com/728).


The survey found, among other results, that:


  • Three-quarters of agencies still were confirming their needs for protecting personal identifying information.
  • Agencies had trouble developing detailed, enforceable and firm policies to limit physical removal, remote access, remote download and storage of sensitive personal information.
  • Shielding personal information presents agencies with difficult technical, organizational and enforcement problems; some agencies planned to completely overhaul their encryption systems, while other used risk-based methods to rank their security priorities.
  • Many agencies have implemented 'time-out' functions, but most are behind in adopting encryption, two-factor authentication and erasure of database extracts after 90 days.


'Most federal agencies are still at risk for improper access and disclosure of personally identifiable information and other sensitive data, despite continued progress toward the establishment of appropriate safeguards,' the report concluded.


The authors of the aggregated statistical report judged that its detailed results were too sensitive for public disclosure, likely because they could pinpoint specific agencies' security shortcomings.


Wilson P. Dizard III

"Time-out was the easiest of the four. The other three require strong coordination and planning, along with, in some cases, money." Barry West, Commerce CIO



Agencies' widespread security shortcomings have been highlighted by their stumbling compliance with last summer's Office of Management and Budget mandate to upgrade data protection on mobile systems.


OMB's four required steps (see box) are built on long-standing federal law and policy, including the Federal Information Security Management Act and OMB Circular A-123, that most agencies have fallen short in meeting. That's despite OMB's claim in the June 23 memo that, 'Most departments and agencies have these measures already in place.'


Survey data from inspectors general confirm the finding of a GCN survey of federal IT specialists that the security improvements are confused and halting.


IT leaders cite a matrix of policy, technical and cultural barriers that hobble security improvements:


  • Funding shortfalls, which can amount to millions per agency to pay for mandated upgrades
  • Technical barriers to adopting three of the four security measures
  • Organizational obstacles to adopting tighter security procedures, such as the need to train data users on requirements embedded in the National Institute of Standards and Technology's Special Publication 800-53 regarding the use of virtual private networks for remote access
  • Difficulties in retrofitting upgraded IT security controls on legacy systems, many of which use custom code that can respond unpredictably to software upgrades
  • User'and even management'resistance to taking the additional steps and time to carry out new security requirements.


Adoption of the new measures varies by agency and by the specific steps involved, officials said.


'Time-out was the easiest of the four. The other three require strong coordination and planning, along with, in some cases, money,' said Barry West, Commerce Department CIO. 'We were fortunate to get the encryption software before the new fiscal year, so we weren't affected by the continuing resolution because I had budgeted money for security.' Commerce officials allocated the cost of the new systems across bureaus based on the number of users in each office, West said.


Cultural barriers form part of the security problem. 'Users push back [against new security requirements],' said one former federal IT leader who requested anonymity. 'They don't want to carry something extra. We had a political appointee at our agency who was convinced that he shouldn't have to use two forms [of authentication] because banks didn't do so. He fought back and tried to reverse the policy.'


As for the technical challenges agencies face, Mark Day, former Environmental Protection Agency chief technology officer and now CTO at McDonald Bradley Inc. of Herndon, Va., cited problems with encrypting data, especially on notebooks that already carry a great deal of information.


'Laptops become cluttered with large volumes of data and develop heavily fragmented hard drives,' Day said. 'When you go to encrypt it, you can have a reasonable failure rate of 5 percent up to 30 percent.'


By contrast, with the timed log-offs, Day said, the requirements are 'widely accepted, widely in use and widely understood. There is little unknown [about the practice].'


An OMB official, who requested anonymity, said all agencies have started working to implement the four new requirements but sidestepped the question of how far they have progressed.


'We will continue to work with the departments and agencies as well as the inspectors general to review these processes and the status of individual agencies on implementation of each of the four recommendations,' the official said.


And agencies likely will not get much additional funding from the Hill to meet these requirements. One chief information security officer, who requested anonymity, said OMB should develop a governmentwide vehicle to buy these security services in bulk to help agencies save money.


Bob Post, vice president of the assurance and resilience capability team at Booz Allen Hamilton Inc. of McLean, Va., said Congress' viewpoint is that agencies have had the security responsibilities for many years under existing laws.


'Maybe OMB and agencies need to come clean and say this is a bigger problem than first thought,' Post said. 'There have not been too many high-profile spills lately because the message has gotten out. People are more [conscious] of how best to handle devices, and that cuts down some of it.'


Post said the OMB mandates would reduce data losses from removable media and mobile systems.


'You want to minimize, as a part of a whole risk-reduction strategy, the amount of information floating around on these devices. Then what you have left, after you have reduced the population of people taking info out the door, [you consider] how do you deal with people who have to have information on devices,' Post said.
Further steps involve training and education, he added.


Post noted that though users have adopted mobile equipment, security awareness and training have not kept pace.


'You can't think of this as a desktop machine any more,' Post said. 'We have to change our mind-set with these devices, and it is even worse with cell phones, PDAs and other devices that have more capacity. That is why you only take data you need to do your job.'


OMB now is reviewing the agencies' annual FISMA reports and preparing its governmentwide report for Congress, the official said, adding that OMB would issue further security guidance as it continues to identify gaps.


As for the loss of data, the official added, 'Specifically in the realm of personal information, we have been working with agencies through the President's Identity Theft Task Force, focused on safeguarding of personal information and breach notification.'



In this Special Report


  • LEAD STORY | Secure Measures

  • Commerce uses encryption to help steel notebooks

  • Cost of two factors adds up

  • Logging data extracts puts some agencies in a bind

  • Agencies feel botnets' light footprint

  • New York battles botnets by testing employees

  • Feds split on FISMA's effectiveness

  • Defense domain, civilian awareness

  • X
    This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
    Accept Cookies
    X
    Cookie Preferences Cookie List

    Do Not Sell My Personal Information

    When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

    Allow All Cookies

    Manage Consent Preferences

    Strictly Necessary Cookies - Always Active

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data, Targeting & Social Media Cookies

    Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

    If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

    Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

    Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

    If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

    Save Settings
    Cookie Preferences Cookie List

    Cookie List

    A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

    Strictly Necessary Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Functional Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Performance Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Social Media Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Targeting Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.