By Mary Mosquera
The Office of Management and Budget today provided a checklist of best
practices that agencies must have in place in 45 days to compensate
for the absence of physical security controls when employees remove
information or access it from outside of agency premises.
Most departments should already have the measures recommended by the
National Institute of Standards and Technology in place, according to
Clay Johnson, OMB deputy director for management.
"We intend to work with the inspectors general community to review
these items, as well as the checklist, to ensure we are properly
safeguarding the information the American taxpayer has entrusted to
us," he said in the memo dated June 23 .
Besides the checklist, agencies also by early August must encrypt all
data on mobile devices that carry sensitive data and allow remote
access only with two-factor authentication. One of those factors
should be provided by a device separate from the computer gaining
access. Agencies will implement a "time-out" function for remote
access and mobile devices users, who will need to re-authenticate
after 30 minutes of inactivity. Agencies will log all
computer-readable data extracts from databases holding sensitive
information. They must verify that each extract of sensitive data has
been erased within 90 days or its use is still required.
OMB provided sample privacy documents for system of records notices
for personnel security files, identity management systems, identity
card proofing and Privacy Act statement and a Privacy Act statement
for users of personal identity verification cards.
Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee,
applauded OMB's memo.
"Today's action by the Office of Management and Budget to reinforce
security standards for sensitive information controlled by the federal
government is a sensible step, given the various data breaches we have
seen in recent weeks," he said. "[G]iven the spotty record of
compliance [with the Federal Information Security Management Reform
Act] we have seen among the agencies, I sincerely hope this action
leads to both better results and better practices-and if not, perhaps
Congress will have to step in and mandate specific security
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.