By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, June 27, 2006 11:22 AM
The Bush administration is giving federal civilian agencies 45 days to implement new measures to protect the security of personal information that agencies hold on millions of employees and citizens.
The new security guidelines, issued Friday by the White House Office of Management and Budget, cap a month marked by data thefts or disclosures at five different agencies that compromised Social Security numbers and other private data on millions of people.
To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity.
Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.
OMB said agencies are expected to have the measures in place within 45 days, and that it would work with agency inspectors general to ensure compliance. It stopped short of calling the changes "requirements," choosing instead to label them "recommendations" that were intended "to compensate for the protections offered by the physical security controls when information is removed from, or accessed from outside of the agency location."
That careful distinction indicates that the administration is under pressure to respond to the recent string of data mishaps, but that it could not quickly pull all the political and financial strings usually tied to regulatory mandates, according to James Lewis, director of technology and public policy at the Center for Strategic and International Studies.
"The encryption and authentication measures mean agencies are going to have to spend money that they weren't planning to spend, and so in that way it's probably easier for [OMB] to get a recommendation out than [a] command," Lewis said. "That said, this is more of an implied threat, because you usually don't threaten agencies with their inspector general unless you intend to lean on them."
"The safeguards that the White House is calling for are excellent," said Alan Paller, director of research for the SANS Institute, a security training group based in Bethesda, Md.. However, Paller said, agencies are likely to become preoccupied with a document attached to the memo that spells out nearly a dozen new "action items" devised by the National Institutes of Standards and Technology (NIST).
"The sad thing is that NIST grasped defeat from jaws of victory by crafting a document that requires agencies to spend a lot of time and tens of thousands of dollars in studies to figure out what to do next."
The new guidelines (viewable here as a PDF document) also drew a strong reaction from House Government Reform Committee Chairman Thomas M. Davis III (R-Va.), whose panel has awarded government-wide cyber-security efforts a grade of D-plus or worse for the past four years in a row.
"I sincerely hope this action leads to both better results and better practices -- and if not, perhaps Congress will have to step in and mandate specific security requirements," Davis said in a statement.
The recent string of data incidents began May 22, when the Department of Veterans Affairs disclosed that a laptop and external hard drive -- including the unencrypted names, Social Security numbers and birth dates for about 26.5 million veterans -- were stolen earlier in the month from the home of a VA employee.
On June 5, the Internal Revenue Service said a missing laptop contained the Social Security numbers, fingerprints and names of 291 employees and IRS job applicants. Two weeks later the Agriculture Department revealed that a hacker had broken into its network and stolen names, Social Security numbers and photos of some 26,000 employees and contractors in the Washington area.
Then on Thursday the Federal Trade Commission -- an agency whose mission includes consumer protection and occasionally involves suing companies for negligence in protecting customer information -- said it lost a pair of laptops that contained Social Security numbers and financial data related to different law enforcement investigations.
That same day, the Navy said it was investigating how Social Security numbers and other personal data for 28,000 sailors and family members wound up on a civilian Web site.