The Bush Administration is giving federal civilian agencies just 45 days to comply with new recommendations for laptop encryption and two-factor authentication.
The memo follows a wave of high profile data thefts and major security breeches involving remote access or the theft of government laptop computers containing sensitive personal information. The official memo (PDF) from the executive office of the U.S. president stipulates that all mobile devices containing sensitive information must have their data encrypted. The recommendations also say that two-factor authentication must be used for remote access, that remote access must time out after 30 minutes of inactivity, and that all data extracts must be logged. The memo does not detail any specific technology recommendations beyond this broad outline, presumably leaving agencies to decide on their own specific implementations.
"Most departments and agencies have these measures already in place," wrote Clay Johnson III, the Deputy Director for Management who authored the memo. That's an assertion that is hard to believe in the wake of some high profile data thefts in the past year involving government systems that were not using any encryption or two-factor authentication.
Recent incidents involved the theft of 26,000 SSNs and photos at U.S. Department of Agriculture, a laptop containing fingerprints of 291 employees of the Internal Revenue Service, the Energy Department's loss of 1,500 employee and contractor's personal records at the National Nuclear Security Administration, a compromise of the identities of 2.2 million active-duly military personnel at the Department of Veteran Affairs, a stolen laptop at the Federal Trade Commission with data on 110 people, the Navy discovered 28,000 personal records one day on a website, and finally, an insurance company employee exposed 17,000 personal Medicare records according to the Department of Health and Human Services.
Five of these seven incidents involved laptop computers without encryption, and the others involved remote access to private systems via the Internet that may have been prevented or made more difficult with two-factor authentication.
Posted by: Kelly Martin