OMB security mandates pile up

Agencies say the most onerous policy requires them to log database extracts

Agency officials say they are struggling to keep up with new security policies that the Office of Management and Budget has issued in a steady stream since June 2006, after a Veterans Affairs Department employee lost personal data on 26.5 million veterans and their families.

The latest security memo set a deadline of Sept. 21 for agencies to show OMB their plans for scrubbing Social Security numbers from publicly accessible information systems and procedures for notifying federal authorities when a data breach occurs. The National Institute of Standards and Technology (NIST) is working on a document to help agencies assess sensitive information and determine how to handle data breaches. 

'People are terrified of data breaches,' said Tim Grance, manager of systems and network security at NIST. The best way to protect sensitive data is to reduce the amount of personal information that agencies collect, said Grance, who spoke at a recent conference in Washington sponsored by RSA Security.

The May policy memo asks agencies to set policies stating how and under what circumstances employees must report confirmed and suspected data breaches. It also directs agencies to notify the U.S. Computer Emergency Readiness Team about data losses or exposures within one hour of discovering them.

The memo that announced the September deadline asks agencies to secure sensitive information by using many of the mandatory safeguards that OMB outlined in a June 2006 policy memo.

The deadline is partly about having agencies solidify the foundations of data security, said Paul Kurtz, chief operating officer at Good Harbor Consulting. 'What OMB is really interested in here is making sure that every agency has filed a plan with a timeline in order to fulfill the original June 2006 memo.'

Since agencies received the June 2006 memo, many have reported making progress on encrypting mobile computers and devices holding sensitive data and implementing security safeguards such as two-factor authentication and time-out functions that require re-authentication after
30 minutes of inactivity.

The most difficult requirement for agencies is having to log and verify computer-readable data extracts from databases holding sensitive information, said Marc Groman, chief privacy officer at the Federal Trade Commission. That is  difficult because logging and tracking data extracts require agencies to implement a new process and integrate several technologies.

'First, you have to change the way you manage your data and then stitch together different technologies,' said Steve Lafferty, vice president of marketing at Prism Microsystems. 'The simpler solution is to ratchet down the availability of data to mobile workers until the technology catches up.'

For most agencies, the first step to safeguarding personal data is locating the documents and databases containing Social Security numbers, Groman said.

Mischel Kwon, chief information technology security technologist at the Justice Department, agreed that cleansing files containing Social Security numbers is a long-term project. 'In the interim, we need to do common sense things,' such as implementing employee awareness training, she said.

The FTC considered employee and contractor awareness to be important factors when it developed a breach notification plan incorporating OMB's guidance.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.