Secure Measures

Last year’s rash of data theft scandals forced federal officials to acknowledge a tawdry reality: Despite years of solemn pledges to safeguard personal data, federal technology security, especially for mobile computers and media, remains troubled.

Agencies’ widespread security shortcomings have been highlighted by their stumbling compliance with last summer’s Office of Management and Budget mandate to upgrade data protection on mobile systems.

OMB’s four required steps (see box) are built on long-standing federal law and policy, including the Federal Information Security Management Act and OMB Circular A-123, that most agencies have fallen short in meeting. That’s despite OMB’s claim in the June 23 memo that, “Most departments and agencies have these measures already in place.”

Survey data from inspectors general confirm the finding of a GCN survey of federal IT specialists that the security improvements are confused and halting.

IT leaders cite a matrix of policy, technical and cultural barriers that hobble security improvements:

• Funding shortfalls, which can amount to millions per agency to pay for mandated upgrades
  
• Technical barriers to adopting three of the four security measures
  
• Organizational obstacles to adopting tighter security procedures, such as the need to train data users on requirements embedded in the National Institute of Standards and Technology’s Special Publication 800-53 regarding the use of virtual private networks for remote access
  
• Difficulties in retrofitting upgraded IT security controls on legacy systems, many of which use custom code that can respond unpredictably to software upgrades
  
• User—and even management—resistance to taking the additional steps and time to carry out new security requirements.
  

Adoption of the new measures varies by agency and by the specific steps involved, officials said.

“Time-out was the easiest of the four. The other three require strong coordination and planning, along with, in some cases, money,” said Barry West, Commerce Department CIO. “We were fortunate to get the encryption software before the new fiscal year, so we weren’t affected by the continuing resolution because I had budgeted money for security.” Commerce officials allocated the cost of the new systems across bureaus based on the number of users in each office, West said.

Cultural barriers form part of the security problem. “Users push back [against new security requirements],” said one former federal IT leader who requested anonymity. “They don’t want to carry something extra. We had a political appointee at our agency who was convinced that he shouldn’t have to use two forms [of authentication] because banks didn’t do so. He fought back and tried to reverse the policy.”

As for the technical challenges agencies face, Mark Day, former Environmental Protection Agency chief technology officer and now CTO at McDonald Bradley Inc. of Herndon, Va., cited problems with encrypting data, especially on notebooks that already carry a great deal of information.

“Laptops become cluttered with large volumes of data and develop heavily fragmented hard drives,” Day said. “When you go to encrypt it, you can have a reasonable failure rate of 5 percent up to 30 percent.”

By contrast, with the timed log-offs, Day said, the requirements are “widely accepted, widely in use and widely understood. There is little unknown [about the practice].”

An OMB official, who requested anonymity, said all agencies have started working to implement the four new requirements but sidestepped the question of how far they have progressed.

“We will continue to work with the departments and agencies as well as the inspectors general to review these processes and the status of individual agencies on implementation of each of the four recommendations,” the official said.

And agencies likely will not get much additional funding from the Hill to meet these requirements. One chief information security officer, who requested anonymity, said OMB should develop a governmentwide vehicle to buy these security services in bulk to help agencies save money.

Bob Post, vice president of the assurance and resilience capability team at Booz Allen Hamilton Inc. of McLean, Va., said Congress’ viewpoint is that agencies have had the security responsibilities for many years under existing laws.

“Maybe OMB and agencies need to come clean and say this is a bigger problem than first thought,” Post said. “There have not been too many high-profile spills lately because the message has gotten out. People are more [conscious] of how best to handle devices, and that cuts down some of it.”

Post said the OMB mandates would reduce data losses from removable media and mobile systems.

“You want to minimize, as a part of a whole risk-reduction strategy, the amount of information floating around on these devices. Then what you have left, after you have reduced the population of people taking info out the door, [you consider] how do you deal with people who have to have information on devices,” Post said.
Further steps involve training and education, he added.

Post noted that though users have adopted mobile equipment, security awareness and training have not kept pace.

“You can’t think of this as a desktop machine any more,” Post said. “We have to change our mind-set with these devices, and it is even worse with cell phones, PDAs and other devices that have more capacity. That is why you only take data you need to do your job.”

OMB now is reviewing the agencies’ annual FISMA reports and preparing its governmentwide report for Congress, the official said, adding that OMB would issue further security guidance as it continues to identify gaps.

As for the loss of data, the official added, “Specifically in the realm of personal information, we have been working with agencies through the President’s Identity Theft Task Force, focused on safeguarding of personal information and breach notification.”