OMB beefs up protections for sensitive information
- By Matthew Weigelt
- Jun 26, 2006
The Office of Management and Budget issued a checklist late last week for agencies to follow as they try to make personal information more secure. At least four federal agencies have recently reported security breaches that led to information on agency employees, contractors and citizens being potentially exposed to identity thieves.
In a June 23 memo to department and agency heads, Clay Johnson, OMB's deputy director for management, wrote that agencies should:
- Encrypt all data on mobile computers carrying sensitive information.
- Allow remote access only with two-factor authentication, where one of the factors is provided by a device separate from the computer.
- Use a “time-out” function for remote access, requiring remote users to sign in again after 30 minutes of inactivity.
- Log all computer-readable data from databases with sensitive information and verify the data is erased within 90 days, unless it is still needed.
OMB will work with inspectors general to ensure compliance, the memo states.
“Strict adherence to safeguard standards is critical to protecting sensitive data,” Johnson said in a press release.
These standards should be in place in 45 days, according to the memo.
Rep. Tom Davis (R-Va.), who chairs the House Government Reform Committee, said OMB’s memo is a sensible step toward blocking future security breaches. Under the Federal Information Security Management Act, OMB’s role is to require agencies to secure sensitive information.
“However, given the spotty record of compliance we have seen among the agencies, I sincerely hope this action leads to both better results and better practices — and if not, perhaps Congress will have to step in and mandate specific security requirements,” Davis said in a statement.
Johnson wrote in his memo that OMB's checklist is designed to protect information accessed or removed from an agency. The intent of the checklist is to compensate for the lack of physical security controls when information is accessed remotely, the memo states.
FISMA was enacted to ensure agencies meet consistent standards for security requirements for information and information systems. NIST defines these standards, and OMB ensures that they are carried out across the agencies.