Federal civilian agencies have just over a month left to comply with new guidelines mandating encryption and two-factor authentication for notebook computers:
The memo follows a wave of high profile data thefts and major security breeches involving remote access or the theft of government laptop computers containing sensitive personal information. The official memo (PDF) from the executive office of the U.S. president stipulates that all mobile devices containing sensitive information must have their data encrypted. The recommendations also say that two-factor authentication must be used for remote access, that remote access must time out after 30 minutes of inactivity, and that all data extracts must be logged. The memo does not detail any specific technology recommendations beyond this broad outline, presumably leaving agencies to decide on their own specific implementations.
Recent [data theft] incidents involved the theft of 26,000 SSNs and photos at U.S. Department of Agriculture, a laptop containing fingerprints of 291 employees of the Internal Revenue Service, the Energy Department's loss of 1,500 employee and contractor's personal records at the National Nuclear Security Administration, a compromise of the identities of 2.2 million active-duly military personnel at the Department of Veteran Affairs, a stolen laptop at the Federal Trade Commission with data on 110 people, the Navy discovered 28,000 personal records one day on a website, and finally, an insurance company employee exposed 17,000 personal Medicare records according to the Department of Health and Human Services.
Link to Security Focus article (Thanks, Mike Outmesguine!)
Reader comment: Jon says,
I work as a contractor for a federal agency (military, no less) and I haven't seen anything about this. Not that I doubt your source – I expect whitehouse.gov knows what the executive office is doing – but it worries me that it hasn't trickled down. The particular agency I work for has some wonderful ideas about security – change your password every four seconds, get logged out of webmail every ten… Everything that can annoy the employees without actually doing any good.
Anyway, the memo is a nice election-year show, but I'd be shocked if it actually makes a difference.
Gabe says,
I also
work at a security contractor, and all laptop users had to install
encryption software starting about a month ago. And when logging in through
the company network, our screensavers are forced into a 20 minute password
protection configuration.
Steve B. says,
Actually, I DO work for a Federal Executive Agency and this has been in the process of implementation for months. We have so many freaking passwords and firewalls to gain access to that I think our IT department spends more time reseting passwords than anything else. It does basically just cause more headaches for the employee trying to get real work done, in addition to personal internet and email access. None of the technology I have seen, including even having to encrypt our pen drives, would be enough to thwart someone that REALLY wanted the info
Anonymous says,
I work in the computer security section of a federal agency and this memo has been getting some comments emailed around between agencies. OMB hasn't given agencies any interpretation guidance, other than the memo itself, and one of the comments you see a lot is the following:
"The first part of the memo lists
four 'recommended actions' that I am interpreting as not mandatory (…the exception being the encryption of mobile computers/devices). Anyone
else interpreting this differently?"…. I don't think I would expect major changes at many agencies. Given past experience I think many agencies will just chalk these up to recommendations that are not mandatory(except for the encryption).
