After a spate of well-publicized thefts of government laptops earlier this year, Clay Johnson III, deputy director for management with the Office of Management and Budget, sent a memorandum to department heads urging them to take action to safeguard information properly.
Johnson’s memo, which includes a security checklist created by the National Institute for Standards and Technology, recommended four actions: use encryption when carrying agency data; use two-factor authentication provided by a device that is separate from the computer (such as a USB token); ensure that users reauthenticate after 30 minutes of inactivity; and verify that all sensitive data is purged within 90 days if no longer required.
“Most departments and agencies have these measures already in place,” Johnson says in the memo, though the many recent losses of unsecured laptops suggest that having the measures in place and actually ensuring that workers use them are two separate issues. Johnson says that his department will “work with the Inspectors General community to review these items as well as the checklist to ensure [that] we are properly safeguarding the information the American taxpayer has entrusted to us.”
“I think where this memo is significantly different is it’s no longer allowing agencies to be left up to their own devices, to arrive at their own solutions, to make decisions about what they’re really going to protect,” says John Dasher, director of product management with encryption vendor PGP Corporation. “It’s more clear than anything we’ve seen to date.”
With data breaches being such a hot topic, it’s fair to ask why it’s been so hard to get government and companies alike to encrypt data; after all, a plethora of products and solutions exist to make the task simple. “There is still a hangover from the technology of ten years ago,” opines Dasher, “and I think the federal government suffers especially from this.”
First attempts at data protection solutions often revolved around immense PKI rollouts that were expensive as well as cumbersome to understand and manage. “People don’t realize there’s a next-generation solution,” Dasher says, and it is automated and transparent to users.
@ Johnson’s memo is at SM Online.