Security policies proliferate in wake of data thefts

Some measures may not mean much

As reports of data being compromised in agencies’ information technology systems mount, policy-makers are responding with efforts to clamp down. Recent cases involving the Department of Veterans Affairs, the Energy Department and the Navy that have exposed personal data, including Social Security numbers, have raised fears of identity theft.

The Office of Management and Budget issued a memorandum July 12 detailing the steps agencies should follow to report security incidents. Rep. Tom Davis (R-Va.) introduced a bill also calling for a mandatory reporting process, while DOE issued

a final rule that had been under development for more than a year outlining the mandatory process to gain access to agency computers.

The security incident at DOE happened more than a year before word of it came out in June.

The National Nuclear Security Administration was the target of the attack and the source of the new rule, which will become effective agencywide Aug. 18. The main feature of the rule is that DOE employees and contractors must acknowledge in writing that authorized investigative agencies can access the computers they used during the time of their employment and for as long as three years after they leave.

The rule states that members of the public who interact with DOE computers, even through simply sending an e-mail message to the agency, can have no expectation of privacy. The rule follows one proposed by the department in March 2005 and incorporates comments the agency received.

Similar policies are common in private industry but less common among agencies, said analyst John Pescatore, vice president of Internet security at Gartner. However, as agencies learn from experience — their own or other agencies’ — such measures are likely to become more widespread, he said.

“There have been various rulings about whether an employee has a reasonable expectation of privacy” when using their employers’ computers, he said. “The way industry deals with that is to make the employee sign something saying they have no expectation of privacy.”

In agencies, conflicts have arisen when officials tried to monitor traffic to ensure data was secure, he said. The explicit policy is designed to resolve such disputes.

“I would expect to see many more government agencies doing this,” Pescatore said.

Randy Erwin, assistant to the president of the National Federation of Federal Employees, said his union would not object to the notion that agency employees have no expectation of privacy. That, he said, is status quo for employees of most organizations, and requiring a signed statement is simply calling the policy to the employees’ attention.

However, he added, “We’d like to see one of the actual statements. The devil is in the details. Our concern is that they’d be giving something more away.”

The renewed attention to reporting requirements is also connected to DOE’s experience and the concern that potential victims of identity theft didn’t learn they were vulnerable until long after the incident. OMB’s guidance added urgency to the procedures mandated by the Federal Information Security Management Act of 2002 by requiring agencies to report all breaches involving personally identifiable information within one hour of discovering the breach.

Alan Paller, director of research at the SANS Institute, said he doubted that OMB or Congress could have much effect on how quickly agencies report data breaches.

“People who were going to delay the release of — or just refuse to release — information will still do that,” he said.

OMB’s reminderIn a July 12 memo, the Office of Management and Budget reminded agencies of their data breach reporting requirements under the Federal Information Security Management Act of 2002 and amended some of them.

Karen Evans, administrator of OMB’s Office of E-Government and Information Technology, issued the memo. Its major points include:

  • All agencies must report security incidents to the U.S. Computer Emergency Readiness Team, a federal incident response center at the Homeland Security Department.
  • Agencies must report all data breaches involving personally identifiable information, including those that are suspected but not proven, within one hour of discovering the breach.
  • The Fed 100

    Read the profiles of all this year's winners.


    • Shutterstock image (by wk1003mike): cloud system fracture.

      Does the IRS have a cloud strategy?

      Congress and watchdog agencies have dinged the IRS for lacking an enterprise cloud strategy seven years after it became the official policy of the U.S. government.

    • Shutterstock image: illuminated connections between devices.

      Who won what in EIS

      The General Services Administration posted detailed data on how the $50 billion Enterprise Infrastructure Solutions contract might be divvied up.

    • Wikimedia Image: U.S. Cyber Command logo.

      Trump elevates CyberCom to combatant command status

      The White House announced a long-planned move to elevate Cyber Command to the status of a full combatant command.

    • Photo credit: John Roman Images /

      Verizon plans FirstNet rival

      Verizon says it will carve a dedicated network out of its extensive national 4G LTE network for first responders, in competition with FirstNet.

    • AI concept art

      Can AI tools replace feds?

      The Heritage Foundation is recommending that hundreds of thousands of federal jobs be replaced by automation as part of a larger government reorganization strategy.

    • DOD Common Access Cards

      DOD pushes toward CAC replacement

      Defense officials hope the Common Access Card's days are numbered as they continue to test new identity management solutions.

    Reader comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above

    More from 1105 Public Sector Media Group