[Dataloss] OMB Sets Guidelines for Federal Employee Laptop Security

Tue Jun 27 14:14:48 EDT 2006

OMB Sets Guidelines for Federal Employee Laptop Security

By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, June 27, 2006; 11:22 AM
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/27/AR2006062700
540_pf.html

The Bush administration is giving federal civilian agencies 45 days to
implement new measures to protect the security of personal information that
agencies hold on millions of employees and citizens.

The new security guidelines, issued Friday by the White House Office of
Management and Budget, cap a month marked by data thefts or disclosures at
five different agencies that compromised Social Security numbers and other
private data on millions of people.

To comply with the new policy, agencies will have to encrypt all data on
laptop or handheld computers unless the data are classified as
"non-sensitive" by an agency's deputy director. Agency employees also would
need two-factor authentication -- a password plus a physical device such as
a key card -- to reach a work database through a remote connection, which
must be automatically severed after 30 minutes of inactivity.

Finally, agencies would have to begin keeping detailed records of any
information downloaded from databases that hold sensitive information, and
verify that those records are deleted within 90 days unless their use is
still required.

OMB said agencies are expected to have the measures in place within 45 days,
and that it would work with agency inspector generals to ensure compliance.
It stopped short of calling the changes "requirements," choosing instead to
label them "recommendations" that were intended "to compensate for the
protections offered by the physical security controls when information is
removed from, or accessed from outside of the agency location."

That careful distinction indicates that the administration is under pressure
to respond to the recent string of data mishaps, but that it could not
quickly pull all the political and financial strings usually tied to
regulatory mandates, according to James Lewis, director of technology and
public policy at the Center for Strategic and International Studies.

"The encryption and authentication measures mean agencies are going to have
to spend money that they weren't planning to spend, and so in that way it's
probably easier for [OMB] to get a recommendation out than [a] command,"
Lewis said. "That said, this is more of an implied threat, because you
usually don't threaten agencies with their inspector general unless you
intend to lean on them."

"The safeguards that the White House is calling for are excellent," said
Alan Paller, director of research for the SANS Institute, a security
training group based in Bethesda, Md.. However, Paller said, agencies are
likely to become preoccupied with a document attached to the memo that
spells out nearly a dozen new "action items" devised by the National
Institutes of Standards and Technology (NIST).

"The sad thing is that NIST grasped defeat from jaws of victory by crafting
a document that requires agencies to spend a lot of time and tens of
thousands of dollars in studies to figure out what to do next."

The new guidelines (viewable here as a PDF document) also drew a strong
reaction from House Government Reform Committee Chairman Thomas M. Davis III
(R-Va.), whose panel has awarded government-wide cyber-security efforts a
grade of D-plus or worse for the past four years in a row.

"I sincerely hope this action leads to both better results and better
practices -- and if not, perhaps Congress will have to step in and mandate
specific security requirements," Davis said in a statement.

The recent string of data incidents began May 22, when the Department of
Veterans Affairs disclosed that a laptop and external hard drive --
including the unencrypted names, Social Security numbers and birth dates for
about 26.5 million veterans -- were stolen earlier in the month from the
home of a VA employee.

On June 5, the Internal Revenue Service said a missing laptop contained the
Social Security numbers, fingerprints and names of 291 employees and IRS job
applicants. Two weeks later the Agriculture Department revealed that a
hacker had broken into its network and stolen names, Social Security numbers
and photos of some 26,000 employees and contractors in the Washington area.

Then on Thursday the Federal Trade Commission -- an agency whose mission
includes consumer protection and occasionally involves suing companies for
negligence in protecting customer information -- said it lost a pair of
laptops that contained Social Security numbers and financial data related to
different law enforcement investigations.

That same day, the Navy said it was investigating how Social Security
numbers and other personal data for 28,000 sailors and family members wound
up on a civilian Web site.
© 2006 Washingtonpost.Newsweek Interactive