Lawmakers ask agencies for data security update

Two high-ranking senators want to know when agencies will fully implement the Bush administration’s requirements to protect personally identifiable data.

Sens. Susan Collins (R-Maine), ranking member of the Homeland Security and Governmental Affairs Committee, and Norm Coleman (R-Minn.), ranking member of the Homeland Security and Governmental Affairs Committee’s Permanent Subcommittee on Investigations, sent letters to 24 Cabinet agencies Feb. 22 requesting a written timeline for when they will meet all four requirements laid out by the Office of Management and Budget in a June 2006 memo.

In the letter, the senators told the agency secretary which of the five requirements the department needs to implement. The lawmakers also asked for status updates or compliance timelines for five other OMB memos dating as far back as 2005 that deal with data security, including designating senior officials in charge of privacy.

“As the federal government obtains and processes information about individuals in increasingly diverse ways, it is critically important that it ensure the privacy rights of individuals are respected and that personal information is properly secured and protected,” the senators wrote.

The letter comes on the same day the Government Accountability Office found agency progress in meeting these June 2006 security requirements inconsistent.

Auditors said most agencies – 22 of them -- have developed policies requiring personally identifiable information to be encrypted on mobile computers and devices, and 15 agencies have polices that require the hardware to time-out after more than 30 minutes of inactivity.

But GAO also found that only 11 agencies have established policies to log computer-readable data extracts and erase data after 90 days, while 14 implemented two-factor authentication where one of the factors is provided by a device separate from the computer gaining access.

Auditors said many agencies are still researching the technology to use to log computer-readable data extracts and erase data.

GAO also found that only four agencies had policies requiring the use of the National Institute of Standards and Technology’s security checklist in Special Publication 800-53. In addition, 20 agencies had written policies that require encryption software to comply with NIST Federal Information Processing Standard 140-2.

“Gaps in their policies and procedures reduce agencies’ ability to protect personally identifiable information from improper disclosure,” auditors wrote. “We reiterate, however, as we have in the past, that although having specific policies and procedures in place is an important factor in helping agencies to secure their information systems and to protect personally identifiable information, proper implementation of these policies and procedures remains crucial.”

Coleman and Collins expressed dismay about the report’s findings.

“The findings released in this report are very troubling – indicating that agency after agency has failed to make securing citizens’ personal information a high priority,” Coleman said in a statement. “The clock is ticking and we need to know when the agencies are going to have the protections in place to stop the numerous data breaches we have seen over the past few years. The bottom line is the federal government has a responsibility to ensure the personal information it collects from its citizens is properly secured and protected.”

Collins added that agencies need to act more quickly to protect sensitive data.

OMB officials agreed with the report and said they added these requirements as part of the agency scores under the e-government portion of the President’s Management Agenda score card, GAO said.

“OMB is working with the agencies and monitoring their progress in addressing the recommendations of the President's Identity Theft Task Force,” said Karen Evans, OMB’s administrator for e-government and information technology, in a statement. “It's important to ensure that agencies have the proper security controls in place to minimize and prevent risks to the public's information.”

“The GAO report has shown improvements have been made, but we are woefully short of where we should be 18 months after the OMB directives,” said Rep. Tom Davis (R-Va.), ranking member of the Oversight and Government Reform Committee. “I’m particularly concerned about the pace of efforts to encrypt personal data kept on laptops and other mobile devices. Citizens’ most sensitive information should not be we walking around waiting to be lost or stolen. Too many laptops and hard drives still go missing, and too many people’s critical digital identities are put at risk when that happens.”

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group