The White House's Office of Management and Budget instructed U.S. federal agencies to alert the US-CERT within one hour to any breach involving personally identifiable information, even if the possibility of a breach is only suspected.
The memo (PDF), dated last week, is the fourth letter regarding information-security policy sent to government agencies in the past two months. Another memo (PDF), dated Monday, required that government agencies report any computer systems missing from their inventory and outline the results of an investigation into handling of personally identifiable information within their agency. An earlier memo mandated that agencies use encryption to protect sensitive data on laptops.
The memos come after government agencies have revealed a number of embarrassing data breaches. In May, the Department of Veterans Affairs revealed that the names, social security numbers and birth dates of nearly 26.5 million veterans had been stored on a laptop and external hard drive that were stolen from an employee's home. The laptop and hard drive were later recovered. In June, the U.S. Department of Agriculture acknowledged that information on 26,000 employees had been stolen by online data thieves.
The latest memos clarify the obligation of federal agencies under the Federal Information Security and Management Act (FISMA) of 2002, under which agencies get graded on their security postures. Last year, the U.S. government received an average grade of D+ for computer security.
Posted by: Robert Lemos