Generally available encryption technologies could help some notoriously data-leaky federal agencies protect sensitive information - if they used it.
Of 24 major federal agencies watchdogs at the Government Accountability Office reviewed through September 2007, 70% had not yet installed encryption software on laptops or hand-held mobile computers where such security technology could do the most good. Further, the GAO said that of six agencies that had employed encryption, its implementation was weak and procedures for managing these technologies, and training of personnel in the proper use of installed encryption products was lacking. Not a pretty picture.
As a result of these weaknesses, federal information, such as medical records, social security numbers and other personal data may remain at increased risk of unauthorized disclosure, loss, and modification, the GAO concluded.
Keep in mind though that government regulations do not require its agencies to deploy encryption to keep data secure but as the GAO stated, federal agencies are responsible for safeguarding it in the best ways possible.
There are indeed regulations defining an information security controls over federal agency information and information systems. In addition, other laws frame practices for protecting specific types of sensitive information. The Office of Management and Budget is responsible for establishing government-wide policies and for providing guidance to agencies on how to implement the provisions of the Federal Information Security Management Act (FISMA), the Privacy Act, and other federal information security and privacy laws.
The need for encryption and stronger security in general however is growing as the number of security incidents reported by federal agencies to the US Computer Emergency Readiness Team (US-CERT ) has increased dramatically over the past 3 years, growing from 3,634 incidents reported in fiscal year 2005 to 13,029 incidents in fiscal year 2007 (about a 259 % increase). The GAO pointed to three severe breaches as examples of ways encryption could have prevented some highly public data leakage:
Interestingly the GAO said that all 24 agencies it examined reported myriad hindrances with implementing encryption. The most challenging conditions were:
Ultimately the GAO said it was recommending that OMB clarify government-wide encryption policy to address agency efforts to plan for and implement encryption technologies. The GAO said it is also making recommendations to selected agencies to properly install and configure FIPS-compliant encryption technologies, to develop policies and procedures to manage encryption, and to provide encryption training to personnel.
The 24 major federal agencies included in the GAO report were the Agency for International Development; the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency; the General Services Administration; the National Aeronautics and Space Administration; the National Science Foundation; the Nuclear Regulatory Commission; the Office of Personnel Management; the Small Business Administration; and the Social Security Administration.
Layer 8 in a box
Check out these related stories:
NASA Looking For a Few Cool (and Green) Aircraft
Researchers get $2.6M to cultivate energy-efficient virtualized data center
Watchdogs question US Post Office outsourcing system
NASA satellite fleet figures out why Northern Lights dance
Researchers tout new-fangled network worm weapon
FTC hammers invention, patent promoters with $10M settlement
IBM: We could make 157 Airbus airliners out of our recycled products
The Leader in Network Knowledge
