Seven in 10 government mobile devices unencrypted
- By Kathleen Hickey
- Jul 29, 2008
Only 30 percent of laptop computers and handheld devices are encrypted at 24 major federal agencies, while six federal agencies' encryption installations may not work as intended, according to the Government Accountability Office.
A recent GAO report
, titled 'Information Security: Federal Efforts to Encrypt Sensitive Information are Underway, but Work Remains,' noted that from July through September 2007, 24 major agencies collectively reported that they had not yet installed encryption technology to protect sensitive information on about 70 percent of their laptop computers and handheld devices. Additionally, agencies reported uncertainty regarding the applicability of the encryption requirements for mobile devices, specifically portable media.
Six federal agencies' weak encryption practices'including installing and configuring FIPS-validated cryptographic modules products, monitoring the effectiveness of these technologies, developing encryption policies and procedures, and training personnel''increased the likelihood that the encryption technologies used by the agencies will not function as intended,' the report concluded. 'Until agencies address these weaknesses, sensitive federal information will remain at increased risk of unauthorized disclosure, modification, or loss.'
House Homeland Security Committee Chairman Rep. Bennie Thompson (D-Miss.) expressed frustration over the report's conclusions.
'Encryption is not an option; it is a mandate,' Thompson said. 'Unfortunately, I'm not surprised that despite mandates by [the Office of Management and Budget], the federal government is only 30 percent of the way there. This administration regularly falls short when it comes to addressing our information security weaknesses. Making the right investments in cybersecurity today will keep us from paying dearly in the long run.'
The report recommended that OMB clarify governmentwide encryption policy to address agency efforts to plan for and implement encryption technologies. Additionally, the agency made recommendations to selected agencies to properly install and configure FIPS-compliant encryption technologies, to develop policies and procedures to manage encryption, and to provide encryption training to personnel.
The Federal Information Security Management Act of 2002 mandates that agencies implement information security programs to protect agency information and systems. In addition, other laws provide guidance and direction for protecting specific types of information, including agency-specific information.
In 2007, OMB issued a policy requiring that all agencies encrypt all data on mobile computers and devices that carry sensitive agency data. It also reinforced the long-standing requirement that agencies use products that have been approved by the National Institute of Standards and Technology's cryptographic module validation program. Furthermore, NIST has published guidelines for federal agencies to use in planning and implementing encryption technologies.
Kathleen Hickey is a freelance writer for GCN.