VA gives thumbs down to thumb drives

High-profile agency is at the forefront of a trend to restrict the use of thumb drives

After a series of incidents over the past several months involving missing data, federal agencies are writing policies that restrict the use of mobile storage devices such as thumb drives. At the forefront of that trend is the Department of Veterans Affairs, which lost data on 26.5 million current and retired veterans last year when one of the department’s computers was stolen from an employee’s home.

A number of agencies say they are abandoning a culture in which almost everyone could take information out of the office on a mobile device and are creating a new culture in which people must justify taking any data off the network, where it is relatively secure.

The VA plans to institute a policy, beginning in April, that will require employees to use only approved thumb drives that hold no more than 2G of data and meet the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2 for encrypting data.

“This effort is to drive down the use of thumb drives,” said Bob Howard, the VA’s chief information officer. “This will help us eliminate future problems by shutting down an easy way to take data out of the office.”

Policies such as the one the VA is creating line up with the Office of Management and Budget’s policy, which requires agencies to secure their data. OMB’s policy memo on data security requires agencies to encrypt all data on mobile devices such as thumb drives.

“We are working to come up with a solution of our own,” said Dennis Heretick, the Justice Department’s chief information security officer. “We have a policy that says data on mobile devices must be encrypted, but now we have to implement it.”

Heretick said the department is implementing the policy by letting bureaus purchase only mobile devices with built-in encryption.

Nate Cote, vice president of product management for Kanguru Solutions, said several federal agencies have bought or are evaluating the company’s FIPS 140-2 encrypted thumb drives.

“This year agencies are more likely to allocate dollars to buy this type of secure device,” Cote said.

OMB issued its memo after many agencies had spent their 2006 funds, he added.

At the VA, only the CIO’s office will be allowed to buy and distribute thumb drives, Howard said. 

“We don’t need 200,000 employees with them,” he said. “They must demonstrate a need for the devices before we will issue them.”

Howard said the VA is taking other steps to reduce the risk of data loss. For example, it is creating a standard configuration for the smart phones and personal digital assistants that its employees use. It plans to eliminate all unencrypted data traffic on the VA’s network and reduce the number of virtual private networks that connect to VA networks.

Cote said agencies also can install software that uses device identification numbers to prevent employees from putting thumb drives on the network.

Technologies enforce policies
Cote said Kanguru’s thumb drives have 256-bit Advanced Encryption Standard encryption and strong user name and password protection. The thumb drives wipe themselves clean after seven incorrect password attempts, he said.
Alan Paller, director of the SANS Institute, said having technology that enforces policy is a necessary ingredient of any information security program.

“If they don’t have the technology, then they might as well not have the policy,” Paller said. “You have to block or monitor what employees put on these devices.”

And information security trumps the need for convenience, Paller said.
“Agencies have to make it a high price for people to use them, such as sending a record to the security officer of what they downloaded.”

Five pointers for thumb-drive safetyThe Office of Government Ethics has issued a paper on the safe use of USB flash drives that store valuable data. It offered these recommendations:
  • Encrypt the data on thumb drives.
  • Use additional technologies to secure thumb drives, such as network software that blocks unauthorized USB drives.
  • Purchase encrypted password-protected drives.
  • Update security policies before issuing thumb drives.
  • Treat thumb drives like luggage at an airport; never leave them out of sight.
— Jason Miller

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group