Security policies proliferate in wake of data thefts

Some measures may not mean much

As reports of data being compromised in agencies’ information technology systems mount, policy-makers are responding with efforts to clamp down. Recent cases involving the Department of Veterans Affairs, the Energy Department and the Navy that have exposed personal data, including Social Security numbers, have raised fears of identity theft.

The Office of Management and Budget issued a memorandum July 12 detailing the steps agencies should follow to report security incidents. Rep. Tom Davis (R-Va.) introduced a bill also calling for a mandatory reporting process, while DOE issued

a final rule that had been under development for more than a year outlining the mandatory process to gain access to agency computers.

The security incident at DOE happened more than a year before word of it came out in June.

The National Nuclear Security Administration was the target of the attack and the source of the new rule, which will become effective agencywide Aug. 18. The main feature of the rule is that DOE employees and contractors must acknowledge in writing that authorized investigative agencies can access the computers they used during the time of their employment and for as long as three years after they leave.

The rule states that members of the public who interact with DOE computers, even through simply sending an e-mail message to the agency, can have no expectation of privacy. The rule follows one proposed by the department in March 2005 and incorporates comments the agency received.

Similar policies are common in private industry but less common among agencies, said analyst John Pescatore, vice president of Internet security at Gartner. However, as agencies learn from experience — their own or other agencies’ — such measures are likely to become more widespread, he said.

“There have been various rulings about whether an employee has a reasonable expectation of privacy” when using their employers’ computers, he said. “The way industry deals with that is to make the employee sign something saying they have no expectation of privacy.”

In agencies, conflicts have arisen when officials tried to monitor traffic to ensure data was secure, he said. The explicit policy is designed to resolve such disputes.

“I would expect to see many more government agencies doing this,” Pescatore said.

Randy Erwin, assistant to the president of the National Federation of Federal Employees, said his union would not object to the notion that agency employees have no expectation of privacy. That, he said, is status quo for employees of most organizations, and requiring a signed statement is simply calling the policy to the employees’ attention.

However, he added, “We’d like to see one of the actual statements. The devil is in the details. Our concern is that they’d be giving something more away.”

The renewed attention to reporting requirements is also connected to DOE’s experience and the concern that potential victims of identity theft didn’t learn they were vulnerable until long after the incident. OMB’s guidance added urgency to the procedures mandated by the Federal Information Security Management Act of 2002 by requiring agencies to report all breaches involving personally identifiable information within one hour of discovering the breach.

Alan Paller, director of research at the SANS Institute, said he doubted that OMB or Congress could have much effect on how quickly agencies report data breaches.

“People who were going to delay the release of — or just refuse to release — information will still do that,” he said.

OMB’s reminderIn a July 12 memo, the Office of Management and Budget reminded agencies of their data breach reporting requirements under the Federal Information Security Management Act of 2002 and amended some of them.

Karen Evans, administrator of OMB’s Office of E-Government and Information Technology, issued the memo. Its major points include:

  • All agencies must report security incidents to the U.S. Computer Emergency Readiness Team, a federal incident response center at the Homeland Security Department.
  • Agencies must report all data breaches involving personally identifiable information, including those that are suspected but not proven, within one hour of discovering the breach.
  • FCW in Print

    In the latest issue: Looking back on three decades of big stories in federal IT.


    • Anne Rung -- Commerce Department Photo

      Exit interview with Anne Rung

      The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

    • Charles Phalen

      Administration appoints first head of NBIB

      The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

    • Sen. James Lankford (R-Okla.)

      Senator: Rigid hiring process pushes millennials from federal work

      Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

    • FCW @ 30 GPS

      FCW @ 30

      Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

    • Shutterstock image.

      A 'minibus' appropriations package could be in the cards

      A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

    • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

      DOD launches new tech hub in Austin

      The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

    Reader comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above

    More from 1105 Public Sector Media Group