OMB security mandates pile up
Agencies say the most onerous policy requires them to log database extracts
Agency officials say they are struggling to keep up with new security policies that the Office of Management and Budget has issued in a steady stream since June 2006, after a Veterans Affairs Department employee lost personal data on 26.5 million veterans and their families.
The latest security memo set a deadline of Sept. 21 for agencies to show OMB their plans for scrubbing Social Security numbers from publicly accessible information systems and procedures for notifying federal authorities when a data breach occurs. The National Institute of Standards and Technology (NIST) is working on a document to help agencies assess sensitive information and determine how to handle data breaches.
'People are terrified of data breaches,' said Tim Grance, manager of systems and network security at NIST. The best way to protect sensitive data is to reduce the amount of personal information that agencies collect, said Grance, who spoke at a recent conference in Washington sponsored by RSA Security.
The May policy memo asks agencies to set policies stating how and under what circumstances employees must report confirmed and suspected data breaches. It also directs agencies to notify the U.S. Computer Emergency Readiness Team about data losses or exposures within one hour of discovering them.
The memo that announced the September deadline asks agencies to secure sensitive information by using many of the mandatory safeguards that OMB outlined in a June 2006 policy memo.
The deadline is partly about having agencies solidify the foundations of data security, said Paul Kurtz, chief operating officer at Good Harbor Consulting. 'What OMB is really interested in here is making sure that every agency has filed a plan with a timeline in order to fulfill the original June 2006 memo.'
Since agencies received the June 2006 memo, many have reported making progress on encrypting mobile computers and devices holding sensitive data and implementing security safeguards such as two-factor authentication and time-out functions that require re-authentication after
30 minutes of inactivity.
The most difficult requirement for agencies is having to log and verify computer-readable data extracts from databases holding sensitive information, said Marc Groman, chief privacy officer at the Federal Trade Commission. That is difficult because logging and tracking data extracts require agencies to implement a new process and integrate several technologies.
'First, you have to change the way you manage your data and then stitch together different technologies,' said Steve Lafferty, vice president of marketing at Prism Microsystems. 'The simpler solution is to ratchet down the availability of data to mobile workers until the technology catches up.'
For most agencies, the first step to safeguarding personal data is locating the documents and databases containing Social Security numbers, Groman said.
Mischel Kwon, chief information technology security technologist at the Justice Department, agreed that cleansing files containing Social Security numbers is a long-term project. 'In the interim, we need to do common sense things,' such as implementing employee awareness training, she said.
The FTC considered employee and contractor awareness to be important factors when it developed a breach notification plan incorporating OMB's guidance.
Mary Mosquera is a reporter for Federal Computer Week.