The Office of Management and Budget (OMB) issued a memorandum last week to all federal departments and agencies reminding administrators of long-standing data security requirements, but also made new recommendations.
Among them: encrypt all data on mobile computers and devices, only allow remote access to government networks using token- or card-based two-factor authentication, and log all instances when data is extracted from federal databases.
The government has been embarrassed by several prominent data breaches, including the massive May VA incident, the loss of two Federal Trade Commission (FTC) notebooks, a large disclosure of U.S. Navy personnel identities, and a breach at the Department of Agriculture.
The OMB's timetable means that agencies have until August 7 to comply with the security standards laid out in Deputy Director for Management Clay Johnson's memo ( available here in PDF).
Congress applauded the OMB's tough love stance, with caveats. "Today's action to reinforce security standards for sensitive information controlled by the federal government is a sensible step," said Tom Davis (R-Va.), the chairman of the House Committee on Government Reform, in a statement Monday. "However, given the spotty record of compliance, I sincerely hope this action leads to both better results and better practices, and if not, perhaps Congress will have to step in and mandate specific security requirements."
Davis's committee is responsible for overseeing the annual security grades filed to Congress by federal agencies' information officers and inspector generals. In the most recent report card, the government as a whole pulled down a barely-passing grade of "D+."