OMB reminds agencies to secure information
Agencies told to review policies for safeguarding personal information and include the findings in their upcoming FISMA reports due this fall.
Office of Management and Budget's May 22 memo
The Office of Management and Budget re-emphasized agencies’ duty to protect personal information, in a memo released May 22, as concern grows over the Department of Veterans Affairs’ loss of the personally identifiable information — including Social Security numbers — of millions of veterans.
OMB directed agencies to review policies for safeguarding personal information and include the findings in their upcoming Federal Information Security Management Act reports due this fall.
A laptop computer with millions of veterans’ personal information was stolen last week from a VA employee’s home.
Clay Johnson, OMB’s deputy director for management, wants agencies to note any weaknesses in security plans and milestones required by FISMA. He is requiring agencies to remind employees within the next 30 days of their responsibilities for safeguarding sensitive information, the rules for acquiring and using the information and the penalties for violating the rules. He also told agencies to report all security incidents.
Johnson in the May 22 memo pointed out that OMB told agencies last year to appoint a senior agency official for privacy at the assistant-secretary level. All agencies have done so, according to the memo.
“Because federal agencies maintain significant amounts of information concerning individuals, we have a special duty to protect that information from loss and misuse,” Johnson wrote.
According to OMB’s Feb. 11, 2005, memo, the appointed privacy official would oversee and coordinate an agency’s efforts in compliance to privacy standards.
In the May 22 memo, Johnson advised agencies to review their policies and take appropriate action to install safeguards to avoid incidents such as the VA’s current situation. He directed them to address administrative, technical and physical means used by agencies to control information removal from agency premise.
NEXT STORY: IT whacked in Defense Authorization bill