OMB emphasizes data security guidance

The Office of Management and Budget today provided a checklist of best practices that agencies must have in place in 45 days to compensate for the absence of physical security controls when employees remove information or access it from outside of agency premises.

Most departments should already have the measures recommended by the National Institute of Standards and Technology in place, according to Clay Johnson, OMB deputy director for management.

'We intend to work with the inspectors general community to review these items, as well as the checklist, to ensure we are properly safeguarding the information the American taxpayer has entrusted to us,' he said in the memo dated June 23.

Besides the checklist, agencies also by early August must encrypt all data on mobile devices that carry sensitive data and allow remote access only with two-factor authentication. One of those factors should be provided by a device separate from the computer gaining access. Agencies will implement a 'time-out' function for remote access and mobile devices users, who will need to re-authenticate after 30 minutes of inactivity. Agencies will log all computer-readable data extracts from databases holding sensitive information. They must verify that each extract of sensitive data has been erased within 90 days or its use is still required.

OMB provided sample privacy documents for system of records notices for personnel security files, identity management systems, identity card proofing and Privacy Act statement and a Privacy Act statement for users of personal identity verification cards.

Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, applauded OMB's memo.

"Today's action by the Office of Management and Budget to reinforce security standards for sensitive information controlled by the federal government is a sensible step, given the various data breaches we have seen in recent weeks," he said. "[G]iven the spotty record of compliance [with the Federal Information Security Management Reform Act] we have seen among the agencies, I sincerely hope this action leads to both better results and better practices-and if not, perhaps Congress will have to step in and mandate specific security requirements."

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected