Federal agencies have yet to encrypt sensitive information on 70 percent of laptops and handheld devices, and encryption requirements remain unclear, according to a report released on Tuesday by the Government Accountability Office.
Comment on this article in The Forum.Agencies are a long way from compliance with a 2007 Office of Management and Budget policy requiring them to encrypt data on mobile computers and devices that carry sensitive data using National Institute of Standards in Technology-approved products, the report (GAO-08-525) stated.
The OMB policy came one year after the theft of a Veterans Affairs Department laptop with Social Security numbers and other sensitive information on 26.5 million veterans. Security analysts regard encryption as among the best defenses against such breaches, because the data is converted into a form that's hard to understand.
In a survey of 24 major agencies conducted from July 2007 to September 2007, GAO found that only 30 percent of laptop computers and handheld devices contained encryption technology to protect sensitive information. Also, no agencies had documents in place detailing plans for ongoing encryption efforts, according to the report. The agencies, for instance, lacked schedules for conducting inventories of the type of information stored on mobile computers.
The watchdog agency also reviewed specific efforts by six agencies - the Agriculture, Education, Housing and Urban Development, and State departments, and the General Services Administration and NASA - to install encryption technologies on mobile computers. GAO selected those agencies because they had reported having initiated efforts to install such technologies, had experienced publicized incidents of data compromise, or were expected to collect, store and transmit a wide range of sensitive information.
GAO found that two of the six agencies had not installed encryption technologies validated according to NIST standards, and four had not configured installed encryption technologies appropriately. All six agencies failed to develop policies and procedures for properly managing encryption implementation, and three had not adequately trained personnel in the products' use.
"Encryption is not an option, it is a mandate," said Bennie Thompson, D-Miss., chairman of the House Homeland Security Committee. "Unfortunately, I'm not surprised … This administration regularly falls short when it comes to addressing our information security weaknesses. Making the right investments in cybersecurity today will keep us from paying dearly in the long run."
As a result of these weaknesses, federal information may remain at greater risk of unauthorized disclosure, loss and modification, according to the report.
Of the 24 major federal agencies evaluated, 10 reported having systems that contained sensitive medical information, 16 reported having systems that had sensitive regulatory information, 19 reported having systems that contained sensitive personal information and 20 reported having systems with sensitive program-specific information.
Agencies expressed some confusion about OMB policies relating to encryption, according to the report. Specifically, some appeared unclear about what qualifies as "mobile computers and devices." In response to an April 2008 query from GAO, officials from OMB clarified that the term included all agency laptops, handheld devices, and portable storage devices that contain agency data; GAO recommended that OMB further clarify policies through additional guidance or governmentwide education. It also recommended that OMB be more consistent in monitoring the effectiveness of the agencies' encryption implementation plans and efforts to take inventories of sensitive information contained in mobile devices.
"OMB has been working to provide federal departments and agencies with the tools and guidance necessary for the implementation and use of encryption appropriately to protect federal information," wrote Karen Evans, OMB's administrator for e-government and information technology, in a letter responding to the report. The agency will try to leverage existing education vehicles and forums, she said, such as the Chief Information Officers Council's Best Practices Committee, to clarify policies.
GAO also made a series of recommendations for the six specific agencies whose product deployment processes were reviewed, including establishing monitoring processes for encryption products and adopting departmentwide procedures for encryption management and training programs.