Stolen Laptops Force OMB To Order Federal Security Updates

Government agencies have 45 days to implement long-standing data security requirements, as well as some new ones, including encrypting all data on mobile machines, requiring token- or card-based two-factor authentication for remote access, and tracking data extraction from federal databases.
The White House has given federal agencies 45 days to beef up safeguards to prevent citizen identities from being lost or stolen, the latest reaction to the numerous data disclosures suffered by the government in May and June.

The Office of Management and Budget (OMB) issued a memorandum last week to all federal departments and agencies reminding administrators of long-standing data security requirements, but also made new recommendations.

Among them: encrypt all data on mobile computers and devices, only allow remote access to government networks using token- or card-based two-factor authentication, and log all instances when data is extracted from federal databases.

The government has been embarrassed by several prominent data breaches, including the massive May VA incident, the loss of two Federal Trade Commission (FTC) notebooks, a large disclosure of U.S. Navy personnel identities, and a breach at the Department of Agriculture.

The OMB's timetable means that agencies have until August 7 to comply with the security standards laid out in Deputy Director for Management Clay Johnson's memo ( available here in PDF).

Congress applauded the OMB's tough love stance, with caveats. "Today's action to reinforce security standards for sensitive information controlled by the federal government is a sensible step," said Tom Davis (R-Va.), the chairman of the House Committee on Government Reform, in a statement Monday. "However, given the spotty record of compliance, I sincerely hope this action leads to both better results and better practices, and if not, perhaps Congress will have to step in and mandate specific security requirements."

Davis's committee is responsible for overseeing the annual security grades filed to Congress by federal agencies' information officers and inspector generals. In the most recent report card, the government as a whole pulled down a barely-passing grade of "D+."

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing