After a string of embarrassing security lapses, the White House Office of Management and Budget laid out a number of new measures aimed at protecting personal information that agencies hold on millions of employees and citizens.
Federal civilian agencies will have 45 days to comply with the guidelines and the OMB will work with agency inspector generals to ensure compliance. In a 10-page memo released last week, the office refers to the changes as recommendations made in compensation, "for the protections offered by the physical security controls when information is removed from, or accessed from outside, of the agency location." The changes follow a checklist for protection of remote information provided by the National Institute of Standards and Technology.
Among the major recommendations, agencies will now:
- Encrypt all data on laptops or handheld computers, unless an agency's deputy director classifies the data as non-sensitive;
- Provide employees with two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection; and,
- Begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days, unless their use is still required.
The worst of the recent federal data incidents came on May 22, when the Department of Veterans Affairs announced that a laptop and external hard drive containing detailed information on about 26.5 million veterans was stolen from the home of an employee.In early June, the Internal Revenue Service said that a missing laptop contained information on nearly 300 employees and IRS job applicants, and a couple of weeks later, the Agriculture Department revealed that a hacker had broken into its network, compromising the personal information of about 26,000 employees and contractors. Just last week, the Federal Trade Commission said that two laptops containing financial information related to investigations were missing, and the U.S. Navy said that it was investigating how the personal data for 28,000 sailors and dependents had made its way onto a public Web site.
The full OMB memo is available at
Previously on WebCPA:
