OMB directs agencies to secure file sharing networks
- By Jason Miller
- Sep 10, 2004
CAMBRIDGE, Md. - The Office of Management and Budget is clamping down on agency use of file sharing peer-to-peer networks.
Karen Evans, OMB's administrator for e-government and IT, earlier this week sent a memo
to CIOs directing them to update or create a policy to 'ensure the appropriate use of certain technologies used for file sharing across networks.'
OMB instructed IT managers to make sure agency personnel are trained in the proper use of file sharing networks and the department's policies.
Evans also required CIOs to implement National Institute of Standards and Technology cybersecurity standards to prevent and detect improper file sharing systems.
'We are trying to do a better job of managing the risk of these peer-to-peer systems,' Evans said at the 2004 Interagency Resources Management Conference. 'We are not banning them on government networks, but if agencies need to use them, they have to be cognizant of the risk and make business decisions based on that risk.'
She said OMB has been receiving questions about the appropriate use of this technology and the memo is an attempt to clarify the administration's policy.
Many scientific agencies, such as NASA or the National Institutes of Health, use file sharing networks, Evans said.
'These systems are usually highly decentralized and are designed to facilitate connections between persons who are looking for certain types of files,' the memo said. 'While there are many appropriate uses of this technology, a number of studies show the vast majority of files traded on [peer-to-peer] networks are copyrighted music files and pornography. Data also suggests [peer-to-peer networks] is a common avenue for the spread of computer viruses within IT systems.'
Evans said no agencies reported any problems or security breaches because of peer-to-peer networks, but CIOs and other IT managers have been asking about this emerging technology.
Agencies should have developed employee personal use policies of IT based on 1999 CIO Council guidance. But if agencies have not created this policy, Evans said they must do so by Dec. 1.