VA to control, restrict use of mobile storage devices

ORLANDO, Fla. -- In the next month, the Department of Veterans Affairs will let employees plug into its network only those mobile storage devices issued by the chief information officer’s office.Robert Howard, the department’s CIO, said today that although his office already mandated that these mobile devices, known as thumb drives, be encrypted, he is taking security a step farther. He is requiring employees to apply and demonstrate a need for a thumb drive and to have their supervisors sign off on that need before the office will issue the drive. Howard will issue only 1G and 2G thumb drives and will not allow anything larger onto the network unless he approves it.“This effort is to drive down the use of thumb drives,” he said after his speech at the Information Processing Interagency Conference sponsored by the Government Information Technology Executive Conference. “This will help us eliminate future problems by shutting down an easy way to take data out of the office.”The mobile storage devices also must be certified under the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2, he added.Last May, a laptop and external hard drive containing personal information on about 26 million veterans was stolen from a VA employee’s home. Under intense pressure from lawmakers and the Bush administration, the VA has instituted new policies, including the one for thumb drives, to ensure that doesn’t happen again.Besides controlling thumb drives, Howard aims to have a standard configuration for smart phones and personal digital assistants, eliminate unencrypted messages that travel on the VA’s network and reduce the number of virtual private networks by the end of fiscal 2007.The department also is relying more on public-key infrastructure (PKI) and Microsoft’s rights management system (RMS) in its Outlook e-mail system to do a better job of securing e-mail and documents.“We had issued 30,000 digital certificates in the fall and now we have issued 85,000 PKI” certificates, Howard said. “RMS is easier to use than PKI. We will continue to do both.”Although Howard wants to institute all of these changes in the short term, he is thinking about the VA’s long-term security. Earlier this week, the department issued a request for information for “soup to nuts for data security.”The VA’s reorganization is also moving forward. Howard said the agency will soon send a legislative package to the Office of Management and Budget to be submitted to Congress. It will promote the VA’s five deputy CIOs to assistant secretaries for different IT functions: information security, strategic planning, resource management, application development, and operations and maintenance.“We don’t know if we will get that approved, but we want to raise the title so we can attract the best talent,” he said.While Howard waits for lawmaker approval on the title changes, he has organized new governance boards: a business needs and investment board, and a planning, architecture and technology services board.Each will report to the IT Leadership Board, which in turn reports to the Strategic Management Board. The deputy secretary leads the strategic board, which is made up of high-level agency executives.“I would like these new governance boards to only address the big issues that can’t be handled at the action office level,” Howard said. “The target is for them to meet once a month, but I’m not sure if it will always be necessary.”