OMB emphasizes data security guidance

The Office of Management and Budget today provided a checklist of best practices that agencies must have in place in 45 days to compensate for the absence of physical security controls when employees remove information or access it from outside of agency premises.

Most departments should already have the measures recommended by the National Institute of Standards and Technology in place, according to Clay Johnson, OMB deputy director for management.

'We intend to work with the inspectors general community to review these items, as well as the checklist, to ensure we are properly safeguarding the information the American taxpayer has entrusted to us,' he said in the memo dated June 23.

Besides the checklist, agencies also by early August must encrypt all data on mobile devices that carry sensitive data and allow remote access only with two-factor authentication. One of those factors should be provided by a device separate from the computer gaining access. Agencies will implement a 'time-out' function for remote access and mobile devices users, who will need to re-authenticate after 30 minutes of inactivity. Agencies will log all computer-readable data extracts from databases holding sensitive information. They must verify that each extract of sensitive data has been erased within 90 days or its use is still required.

OMB provided sample privacy documents for system of records notices for personnel security files, identity management systems, identity card proofing and Privacy Act statement and a Privacy Act statement for users of personal identity verification cards.

Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, applauded OMB's memo.

"Today's action by the Office of Management and Budget to reinforce security standards for sensitive information controlled by the federal government is a sensible step, given the various data breaches we have seen in recent weeks," he said. "[G]iven the spotty record of compliance [with the Federal Information Security Management Reform Act] we have seen among the agencies, I sincerely hope this action leads to both better results and better practices-and if not, perhaps Congress will have to step in and mandate specific security requirements."

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected