Three years after encryption mandate, transmitting information from the field continues to be risky.
In 2006, one of my key responsibilities as a Justice Department senior security official was protecting sensitive legal data. When a laptop was stolen from an employee at the Veterans Affairs Department in May of that year, exposing data on 26.5 million veterans and military personnel, it left a serious and lasting impression on me.
So, when the Office of Management and Budget issued Memorandum 06-16, the remote data encryption mandate, in June 2006 to better protect the flow of information in federal agencies, my reaction was to implement an immediate policy that required only encrypted removable media to be used when carrying sensitive but unclassified (SBU) data outside a Justice Department office. I anticipated a long-term effort to secure in-the-field government security operations effectively. I didn't expect that we'd still be grappling with it today, however.
The premise of the OMB mandate was to protect all information collected and stored on removable media. While a majority of government operations process information in offices, where security procedures are controlled by systemwide encryption programs, many federal employees conduct interviews and gather information in the field, where network and server-based encryption programs are not enabled. The mandate requires agencies to transport sensitive data only on mobile devices protected with a level of encryption described in the National Institute of Standards and Technology's guidance called Federal Information Processing Standards 140-2.
While laptops have received most of the attention when it comes to cybersecurity, a bigger vulnerability is the government's use of CDs, DVDs and flash drives, which can hold up to 10 times the amount of data on a laptop. We're not talking about the equivalent of file cabinets, but rather rooms of file cabinets. To achieve compliance, many agencies rely on NIST's list of approved flash drives. The challenge is FIPS 140-2 encrypted flash drives are expensive and many are not compatible with more than one computer or more than one user.
Another challenge in the remote data encryption mandate is the security of transcriptions of federal testimonies and interviews. Each year there are more than 300,000 federal cases that generate millions of pieces of testimony, evidence and witness accounts. Attorneys and law enforcement professionals collect most of this information in the field and they send them unencrypted to commercial firms to transcribe.
One of my challenges at Justice was ensuring the security of these transcriptions, because none of the transcription companies previously complied with the OMB memo, and transcripts were being processed on unsecured home computers and transmitted over the Internet. There have been two quick fixes: Transcriptionists now work on site in government offices or chief information officers are required to sign a waiver, if there is no approved transcription provider, to allow a nonapproved provider to do the work on unsecured networks and equipment.
Both of these solutions still have risky implications. The former decreases the productivity of others in the office because they have to give up workspace and equipment, and the latter compromises the integrity of the data.
Ultimately, the information security best practices that the remote data encryption mandate set out to achieve are imperative to the protection of witnesses, undercover agents and sensitive government contractor data that -- in the wrong hands -- could affect our nation's security. CIOs, procurement officers and inspectors general should be reevaluating their suppliers' use of government data to ensure it is not exposed to risk. While there is no worst-case scenario to drive all government agencies to act yet, it is only a matter of time before one arises.
Earl Hicks Jr. is a former director of security programs for the Justice Department's Office of the Inspector General and the founder and chief executive officer of LegaLock Secure Transcriptions. He can be reached at firstname.lastname@example.org.