Data security basics still trip up federal agencies

Basic best practices in computer security continue to elude agencies, even as they place greater emphasis on information sharing, said federal information technology officials during a panel discussion in Washington on Wednesday.

Agencies are well aware of some fundamental information security objectives, many of which are supported by federal mandates, but they still struggle to keep up, said Dave Wennergren, deputy chief information officer at the Defense Department, at the annual AFCEA Homeland Security Conference. AFCEA International is a member organization for government, industry and academia focused on global security.

"There's this basic set of activities agencies need to continue to do to confront today's reality" of information sharing, Wennergren said.

He pointed to the need to be more diligent about implementing and enforcing secure credentialing. Many still struggle to comply with Homeland Security Presidential Directive 12, which mandated the adoption of secure identification cards across the federal government by October 2008 to ensure only authorized employees gain access to buildings and data. Federal Times reported that governmentwide, 82 percent of the 6.2 million employees and contractors required to obtain the enhanced-security ID cards had received them by the end of 2009, and few government facilities have the scanners and other technology needed to read the personal data encrypted on the cards.

A January report from the DHS inspector general showed the department had issued only 15,567 credentials to its roughly 250,000 full-time employees and contractors as of September 2009.

"It's fabulous that the entire federal government is aligned about [secure credentialing], but you have to do more than issue them -- you have to use them," Wennergren said.

Agencies also should ramp up efforts to comply with other information security standards, he said, including the Trusted Internet Connections initiative, which guides agencies on how to reduce the number of connections they have to the Internet that hackers can use to penetrate federal networks, and the Federal Desktop Core Configuration mandate, a set of standards for securing the Microsoft operating system. Agencies' adoption of both standards have been slow.

"Here we have [defined] a secure version of an operating system -- God help you if you don't use it," Wennergren said.

"There's a body of work [for information security] that we need to put energy behind," he added. Typically, agencies point to a lack of resources to put toward information security initiatives, many of which are regarded as unfunded mandates.

The Justice Department is launching initiatives to support information security processes. The Data at Rest encryption program, for example, provides tools to encrypt data saved to devices that connect to the department's network, ensuring sensitive information can't be exposed in the event the device is lost or stolen. And an end-point lifecycle management program is in the works to ensure all devices are updated with the latest security patches. Currently, the CIO's office has to call individual agencies to determine whether their computers are up to date.

"Sometimes we don't get answers, and sometimes we don't get the right answers" from agencies, said Justice CIO Vance Hitch. "We're developing an automated way to get those patches out quickly and prevent [a dangerous] level of intrusion at the department."