What Is It?

Encryption is the process of turning computer data into code that can be read only by someone with a key to the information. Mathematical functions called cryptographic algorithms underpin encryption software and hardware.

Encryption is used for the transmission of information across networks as well as for storage of information on computers. Federal agencies traditionally have used encryption for classified data, but now they are required to deploy it for sensitive but unclassified information as well.

Most organizations use software -- and occasionally hardware -- to encrypt data on end-user devices such as personal computers, laptops, handhelds, smart phones and removable storage devices, including USB drives. Encryption protects the information stored on these devices from loss or theft. .

With today’s software, an agency can ensure data is encrypted for hundreds of thousands of concurrent users from a centrally managed console. The software authenticates users, ensures security policies are followed, and provides auditing and reporting features. It can be used to encrypt data sent via e-mail and instant messaging as well as information stored on a computer’s hard drive or on a server.

Why Should I Care?

Encryption is important if you want to avoid a headline-grabbing data breach or being grilled by Congress for putting citizens’ information at risk.

In May 2006, a Veterans Affairs Department employee had a laptop that contained sensitive, personal information about 26.5 million veterans and military personnel stolen from his home. This well-publicized data breach prompted agencies to focus on the protection of citizens’ and employees’ PII, or personally identifiable information. PII is information that can be used to locate or identify an individual, including names, aliases, Social Security numbers and biometric records.

“The loss of personally identifiable information can result in substantial harm, embarrassment and inconvenience to individuals and may lead to identity theft or other fraudulent use of information,” the Government Accountability Office concluded in a January 2008 report, “Information Security: Protecting Personally Identifiable Information” (GAO-08-343).

“As the federal government obtains and processes information about individuals in increasingly diverse ways, properly protecting this information and respecting the privacy rights of individuals will remain critically important,” GAO reported.

One of the key motivations for federal agencies to protect PII is the threat of identity theft. In 2006, U.S. organizations lost an estimated $49.3 billion to identity theft, according to another GAO report, “Cyber Crime: Public and Private Entities Face Challenges in Addressing Cyber Threats” (a href=http://www.gao.gov/new.items/d07705.pdf>GAO-07-705), published in June 2007.

Protecting personal information has proved problematic when it can be accessed remotely or transported outside of an agency via removable storage devices, laptops or handhelds.

Between November 2004 and January 2007, federal agencies reported 26 data breaches, many of which involved the loss of personally identifiable information due to the lack of encryption, according to GAO.

Despite the widespread availability of encryption systems on federal contracts, data breaches continue to occur. For example:

• In December 2007, an Air Force band member had a laptop stolen from Bolling Air Force Base in Washington that contained names, addresses and Social Security numbers of active and retired Air Force members.
• In February 2008, a Marine Corps base in Okinawa, Japan, had a laptop stolen that stored the names, rank and Social Security numbers of participants in a new parents’ support group.
• In March 2008, a laptop was stolen from the trunk of a car of a National Institutes of Health researcher that contained names of patients and their diagnoses as well as their Social Security numbers.

These incidents were listed in a chronology of data breaches compiled by a privacy rights organization.

Who’s Using It?

Every federal agency should be using encryption to protect citizens and employees from identity theft.

Several existing laws require federal agencies to protect personally identifiable information. These include the 1974 Privacy Act, the 2002 E-Government Act and the 2002 Federal Information Security Management Act. FISMA, in particular, requires agencies to secure their information, including PII, and information systems.

In addition, the Office of Management and Budget directed agencies in 2006 to encrypt all data on mobile computers and devices unless the information was designated in writing as nonsensitive by an agency official.

Karen Evans, administrator for electronic government and information technology at the Office of Management and Budget, followed up with a July 2007 memo to federal chief information officers recommending encryption as a best practice for all sensitive information accessed or processed remotely.

Evans said agencies should use only cryptographic modules certified by the National Institute of Standards and Technology. Government agencies must follow a NIST document called Federal Information Processing Standards Publication 140-2, “Security Requirements for Cryptographic Modules,” when they purchase encryption hardware and software.

Federal agencies must purchase encryption products that have been validated by NIST, which runs a testing program for cryptographic modules to ensure that they meet FIPS 140-2 requirements. Outside labs accredited by NIST carry out the testing, which is overseen by the NIST Cryptographic Module Validation Program.

NIST also tests cryptographic algorithms through its Cryptographic Algorithm Validation Program.

In its January 2008 report, GAO found that 22 out of 24 major agencies had developed policies requiring personally identifiable information to be encrypted on mobile computers and devices. These requirements were part of comprehensive plans to protect PII that also included using a time-out function for remote access and mobile devices requiring user reauthentication after 30 minutes of inactivity and establishing policies for computer-readable data extracts from databases holding sensitive information.

What’s New?

In June 2007, the Office of Management and Budget, the Defense Department and the General Services Administration awarded contracts to 10 companies to provide encryption systems to protect sensitive, unclassified data on government laptops, mobile devices and removable storage media. Called Data at Rest Encryption, the program could be worth $79 million during its five-year term.

The DAR Encryption contracts are open to all federal agencies. The products offered through the program have been tested and validated by NIST as compliant with FIPS 140-2.

Fred Schobert, chief technology officer for integrated technology services at GSA’s Federal Acquisition Service, said agencies that have made large procurements through the DAR Encryption program include the Agriculture and Transportation departments, the Internal Revenue Service, the Army and the Social Security Administration. Schobert said 30 state and local agencies also made purchases from the DAR Encryption program.

The DAR Encryption program is the primary way federal agencies can purchase this type of software. OMB requires civilian agencies to consider this program before buying any encryption software, while Defense agencies are mandated to use these contracts.

The most popular products on the DAR Encryption contracts are hybrid software packages, which provide both full-disk encryption for laptops and file folder encryption for workstations.

Are There Any Downsides?

Today’s encryption software is mature and proven. Federal agencies, however, should establish a comprehensive information security program for protecting personally identifiable information and use encryption in conjunction with other security techniques.

Buyers can choose whole-disk encryption, which protects all the files and applications on a laptop or removable storage device, or file encryption, which requires users to save sensitive files to particular folders that are encrypted. Whole-disk encryption used to slow computer performance, but that’s less of a concern with today’s more powerful computers. As a result, many buyers choose whole-disk encryption because it is all-encompassing and requires less user intervention.

One issue for agencies to consider is the management tools for issuing, tracking and resetting passwords used to protect information. End users shouldn’t have an extra password for the encryption software that they are trying to remember or put on a sticky note at their desks. That’s why single sign-on software is important.

Another issue is how the management console for the encryption software interacts with existing PC client management software. Some agencies may be required to operate a separate encryption management console, which adds complexity to the network.

Of course, encryption isn’t a perfect solution for protecting personally identifiable information. A determined hacker may be able to crack encryption codes. But that’s not too likely when proper security procedures are followed.

How Much Does It Cost?

The costs involved with encryption include having a computer that’s powerful enough, a hard disk that’s big enough and an operating system that’s new enough to support encryption software.

On top of that, you have licenses for the software itself.

Federal agencies pay an average of $21.25 per software license through the DAR Encryption program, Schobert said. This represents a discount of more than 80 percent from commercial pricing. Volume discounts are available for agencies that purchase 10,000, 33,000 and 100,000 licenses through the DAR Encryption contracts.

“We have purchased over 800,000 DAR encryption licenses and $96 million worth of DAR encryption software for only $17 million,” Schobert said in a May 2008 interview. “That is a $79 million cost avoidance. The reduction in cost is really significant.”

Another cost to consider is the time and tech support dollars needed to deploy encryption software and to encrypt drives for the first time as well as the ongoing network management costs to support it.

How Do I Get Started?

First read this GAO report: “Information Security: Protecting Personally Identifiable Information” (GAO-08-343). It explains the laws and OMB guidance that require agencies to use encryption to protect citizen information.

Next, visit NIST’s Web site outlining its cryptographic modules and algorithms testing program.

Finally, visit GSA’s DAR Encryption Program site to learn more about how to buy encryption systems through this program.