Secure Measures

<b>SPECIAL REPORT: The Next Steps for Security |</b> Agencies work to catch up to OMB mandates for protecting mobile data.

OMB's Four Ways to Improve Data Security

In June, just weeks after the Veterans Affairs Department revealed an employee lost a notebook PC containing the personal information of 26 million veterans, the Office of Management and Budget directed agencies to meet four requirements.

  1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined, in writing, to be nonsensitive by your deputy secretary or an individual he or she may designate

  2. Allow remote access only with two-factor authentication, where one of the factors is provided by a device separate from the computer gaining access

  3. Log all computer-readable data extracts from databases holding sensitive information and verify whether each extract, including sensitive data, either has been erased within 90 days or its use is still required.

  4. Use a 'time-out' function for remote access and mobile devices requiring user re-authentication after 30 minutes of inactivity. Most agencies have implemented this process.

IGs Depict Laggard Security Upgrade Progress

Karen Evans, Office of Management and Budget administrator for e-government and IT, last year commissioned a study of how well agencies are protecting sensitive personal information.

The results confirm the impressions of IT leaders contacted for this report, in that they reflect halting and uneven security upgrades.

John P. Higgins, Education Department inspector general, and his staff compiled results of the study from 49 unclassified inspector general office reports and sent them to Evans in October.

'For the 49 responses consolidated here, only 11 OIGs report that their agency has confirmed identification of [personal identifying information] protection needs, including verification of information categorization and existing risk assessments,' the study said.

The analysis, titled Federal Agencies' Efforts to Protect Sensitive Information, is posted at the Web site of the President's Council on Integrity and Efficiency (

The survey found, among other results, that:

  • Three-quarters of agencies still were confirming their needs for protecting personal identifying information.
  • Agencies had trouble developing detailed, enforceable and firm policies to limit physical removal, remote access, remote download and storage of sensitive personal information.
  • Shielding personal information presents agencies with difficult technical, organizational and enforcement problems; some agencies planned to completely overhaul their encryption systems, while other used risk-based methods to rank their security priorities.
  • Many agencies have implemented 'time-out' functions, but most are behind in adopting encryption, two-factor authentication and erasure of database extracts after 90 days.

'Most federal agencies are still at risk for improper access and disclosure of personally identifiable information and other sensitive data, despite continued progress toward the establishment of appropriate safeguards,' the report concluded.

The authors of the aggregated statistical report judged that its detailed results were too sensitive for public disclosure, likely because they could pinpoint specific agencies' security shortcomings.

Wilson P. Dizard III

"Time-out was the easiest of the four. The other three require strong coordination and planning, along with, in some cases, money." Barry West, Commerce CIO

Last year's rash of data theft scandals forced federal officials to acknowledge a tawdry reality: Despite years of solemn pledges to safeguard personal data, federal technology security, especially for mobile computers and media, remains troubled.

Agencies' widespread security shortcomings have been highlighted by their stumbling compliance with last summer's Office of Management and Budget mandate to upgrade data protection on mobile systems.

OMB's four required steps (see box) are built on long-standing federal law and policy, including the Federal Information Security Management Act and OMB Circular A-123, that most agencies have fallen short in meeting. That's despite OMB's claim in the June 23 memo that, 'Most departments and agencies have these measures already in place.'

Survey data from inspectors general confirm the finding of a GCN survey of federal IT specialists that the security improvements are confused and halting.

IT leaders cite a matrix of policy, technical and cultural barriers that hobble security improvements:

  • Funding shortfalls, which can amount to millions per agency to pay for mandated upgrades
  • Technical barriers to adopting three of the four security measures
  • Organizational obstacles to adopting tighter security procedures, such as the need to train data users on requirements embedded in the National Institute of Standards and Technology's Special Publication 800-53 regarding the use of virtual private networks for remote access
  • Difficulties in retrofitting upgraded IT security controls on legacy systems, many of which use custom code that can respond unpredictably to software upgrades
  • User'and even management'resistance to taking the additional steps and time to carry out new security requirements.

Adoption of the new measures varies by agency and by the specific steps involved, officials said.

'Time-out was the easiest of the four. The other three require strong coordination and planning, along with, in some cases, money,' said Barry West, Commerce Department CIO. 'We were fortunate to get the encryption software before the new fiscal year, so we weren't affected by the continuing resolution because I had budgeted money for security.' Commerce officials allocated the cost of the new systems across bureaus based on the number of users in each office, West said.

Cultural barriers form part of the security problem. 'Users push back [against new security requirements],' said one former federal IT leader who requested anonymity. 'They don't want to carry something extra. We had a political appointee at our agency who was convinced that he shouldn't have to use two forms [of authentication] because banks didn't do so. He fought back and tried to reverse the policy.'

As for the technical challenges agencies face, Mark Day, former Environmental Protection Agency chief technology officer and now CTO at McDonald Bradley Inc. of Herndon, Va., cited problems with encrypting data, especially on notebooks that already carry a great deal of information.

'Laptops become cluttered with large volumes of data and develop heavily fragmented hard drives,' Day said. 'When you go to encrypt it, you can have a reasonable failure rate of 5 percent up to 30 percent.'

By contrast, with the timed log-offs, Day said, the requirements are 'widely accepted, widely in use and widely understood. There is little unknown [about the practice].'

An OMB official, who requested anonymity, said all agencies have started working to implement the four new requirements but sidestepped the question of how far they have progressed.

'We will continue to work with the departments and agencies as well as the inspectors general to review these processes and the status of individual agencies on implementation of each of the four recommendations,' the official said.

And agencies likely will not get much additional funding from the Hill to meet these requirements. One chief information security officer, who requested anonymity, said OMB should develop a governmentwide vehicle to buy these security services in bulk to help agencies save money.

Bob Post, vice president of the assurance and resilience capability team at Booz Allen Hamilton Inc. of McLean, Va., said Congress' viewpoint is that agencies have had the security responsibilities for many years under existing laws.

'Maybe OMB and agencies need to come clean and say this is a bigger problem than first thought,' Post said. 'There have not been too many high-profile spills lately because the message has gotten out. People are more [conscious] of how best to handle devices, and that cuts down some of it.'

Post said the OMB mandates would reduce data losses from removable media and mobile systems.

'You want to minimize, as a part of a whole risk-reduction strategy, the amount of information floating around on these devices. Then what you have left, after you have reduced the population of people taking info out the door, [you consider] how do you deal with people who have to have information on devices,' Post said.
Further steps involve training and education, he added.

Post noted that though users have adopted mobile equipment, security awareness and training have not kept pace.

'You can't think of this as a desktop machine any more,' Post said. 'We have to change our mind-set with these devices, and it is even worse with cell phones, PDAs and other devices that have more capacity. That is why you only take data you need to do your job.'

OMB now is reviewing the agencies' annual FISMA reports and preparing its governmentwide report for Congress, the official said, adding that OMB would issue further security guidance as it continues to identify gaps.

As for the loss of data, the official added, 'Specifically in the realm of personal information, we have been working with agencies through the President's Identity Theft Task Force, focused on safeguarding of personal information and breach notification.'

In this Special Report

  • LEAD STORY | Secure Measures

  • Commerce uses encryption to help steel notebooks

  • Cost of two factors adds up

  • Logging data extracts puts some agencies in a bind

  • Agencies feel botnets' light footprint

  • New York battles botnets by testing employees

  • Feds split on FISMA's effectiveness

  • Defense domain, civilian awareness

  • Stay Connected

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.