Cybersecurity

Justice IG finds fault with encryption practices

room of computers

A Justice Department component is not following encryption policies and practices regarding laptop computers and electronic tablets that store sensitive and potentially classified data, according to an audit issued March 20 by DOJ Inspector General Michael Horowitz.

The audit identified several weaknesses in the Executive Office for the United States Attorneys’ (EOUSA) adherence to whole-disk encryption on employee, contractor and subcontractor laptops and electronic tablets. The audit examined 120 of 10,790 EOUSA-owned laptops and found six used for unclassified processing were not encrypted. More troubling, according to the IG, is that the laptops in question were for “special purposes” such as jury duty use  and were labeled to identify those purposes. The report found no policies in place to limit the use of the unencrypted laptops to those uses, either.

In addition, the audit sifted through three encryption monitoring scans conducted by EOUSA’s Information Systems Security team and found that eight laptops remained unencrypted for more than one year after they were first identified as such.

Recent headlines involving large private-sector companies, the Department of Veterans Affairs, the Internal Revenue Service and other agencies over information security vulnerabilities, unencrypted laptops and data breaches have put an emphasis on agencies shoring up vulnerabilities before they’re exposed in very public fashion.

“We believe that EOUSA’s lack of encryption on some of its classified devices, in addition to poor inventory management, allow for the potential loss of classified information,” the audit states. “Further, without formal and enforced Security Authorization of classified laptops, EOUSA is not able to maintain appropriate oversight to prevent the unauthorized disclosure, modification, or destruction of classified information. We recommend EOUSA implement procedures to ensure that accurate, current, and reliable information is maintained in an official inventory for unclassified and classified equipment to help EOUSA to ensure that all required laptops are encrypted and deployed in compliance with DOJ policy.”

The IG detailed a variety of other weaknesses in EOUSA’s compliance with DOJ information security guidelines, including: an incomplete equipment inventory; failure to create policies to minimize security risks from the use of tablets under a pilot program; and allowing contractors “to process department data on unencrypted equipment.”

An encryption waiver that once allowed that practice expired in 2011, according to the audit. The audit also found that oversight of contractors was “inconsistent,” and that some department data was not sufficiently monitored, “thereby increasing the risk of data loss.”

In response, the IG made 13 initial recommendations to EOUSA, one of which the IG closed. The office’s response, authored by Norman Wong, deputy director and counsel to the director for EOUSA, was swift: EOUSA agreed with the remaining 12 recommendations and is currently implementing corrective action.

About the Author

Frank Konkel is a former staff writer for FCW.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above