OMB beefs up protections for sensitive information

Featured eBooks
Next-Generation Computing
Read Now

Space Tech

Read Now

Cyber Workforce

Read Now
Insights & Reports
Data Storage To Meet Every Need, All Powered By ONTAP
Presented By TD SYNNEX
Download Now
Strengthening Government Resilience: Securing the Future of the Federal Workforce
Presented By Cornerstone OnDemand
Download Now
By Matthew Weigelt

By Matthew Weigelt

|

Johnson spells out specific steps that agencies should follow to protect data that users take off site or access from remote locations.

OMB will work with inspectors general to ensure compliance, the memo states.

Related Links

"Hack at USDA puts 26,000 at risk"

"VA officials ignored security warnings"

Memo: Protection of Sensitive Ageny Information

Homeland Security Presidential Directive-12

The Office of Management and Budget issued a checklist late last week for agencies to follow as they try to make personal information more secure. At least four federal agencies have recently reported security breaches that led to information on agency employees, contractors and citizens being potentially exposed to identity thieves.

In a June 23 memo to department and agency heads, Clay Johnson, OMB's deputy director for management, wrote that agencies should:

  • Encrypt all data on mobile computers carrying sensitive information.

  • Allow remote access only with two-factor authentication, where one of the factors is provided by a device separate from the computer.

  • Use a “time-out” function for remote access, requiring remote users to sign in again after 30 minutes of inactivity.

  • Log all computer-readable data from databases with sensitive information and verify the data is erased within 90 days, unless it is still needed.

“Strict adherence to safeguard standards is critical to protecting sensitive data,” Johnson said in a press release.

These standards should be in place in 45 days, according to the memo.

Rep. Tom Davis (R-Va.), who chairs the House Government Reform Committee, said OMB’s memo is a sensible step toward blocking future security breaches. Under the Federal Information Security Management Act, OMB’s role is to require agencies to secure sensitive information.

“However, given the spotty record of compliance we have seen among the agencies, I sincerely hope this action leads to both better results and better practices — and if not, perhaps Congress will have to step in and mandate specific security requirements,” Davis said in a statement.

Johnson wrote in his memo that OMB's checklist is designed to protect information accessed or removed from an agency. The intent of the checklist is to compensate for the lack of physical security controls when information is accessed remotely, the memo states.

FISMA was enacted to ensure agencies meet consistent standards for security requirements for information and information systems. NIST defines these standards, and OMB ensures that they are carried out across the agencies.

NEXT STORY: Duane Andrews moves to QinetiQ