OMB emphasizes data security guidance

The Office of Management and Budget today provided a checklist of best practices that agencies must have in place in 45 days to compensate for the absence of physical security controls when employees remove information or access it from outside of agency premises.

Most departments should already have the measures recommended by the National Institute of Standards and Technology in place, according to Clay Johnson, OMB deputy director for management.

'We intend to work with the inspectors general community to review these items, as well as the checklist, to ensure we are properly safeguarding the information the American taxpayer has entrusted to us,' he said in the memo dated June 23.

Besides the checklist, agencies also by early August must encrypt all data on mobile devices that carry sensitive data and allow remote access only with two-factor authentication. One of those factors should be provided by a device separate from the computer gaining access. Agencies will implement a 'time-out' function for remote access and mobile devices users, who will need to re-authenticate after 30 minutes of inactivity. Agencies will log all computer-readable data extracts from databases holding sensitive information. They must verify that each extract of sensitive data has been erased within 90 days or its use is still required.

OMB provided sample privacy documents for system of records notices for personnel security files, identity management systems, identity card proofing and Privacy Act statement and a Privacy Act statement for users of personal identity verification cards.

Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, applauded OMB's memo.

"Today's action by the Office of Management and Budget to reinforce security standards for sensitive information controlled by the federal government is a sensible step, given the various data breaches we have seen in recent weeks," he said. "[G]iven the spotty record of compliance [with the Federal Information Security Management Reform Act] we have seen among the agencies, I sincerely hope this action leads to both better results and better practices-and if not, perhaps Congress will have to step in and mandate specific security requirements."

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.