GovernmentExecutive.com

As the federal workforce becomes more mobile, a growing challenge for agency chief information officers is how to encrypt information and share it, according to the Justice Department's chief information officer.

Vance Hitch spoke Thursday to information technology contractors at a government symposium organized by Symantec. "Thumb drives are everywhere, and we have to encrypt them," Hitch said. "We're supposed to figure out how to have the data on them expire after 90 days."

Hitch said a recent White House Office of Management and Budget directive will require encryption of all sensitive data leaving his department, whether the information is being used or is at rest. "This creates challenges with how to do encryption-sharing across agencies," Hitch said.

He said part of the challenge is that agencies and departments have different encryption software and vendors. Another challenge is how to extract data and control who can make copies of data.

Hitch said some CIOs complain about the costs of compliance with the Federal Information Security Management Act, which established standards and guidelines for cyber security at government agencies. He said some say that after spending money on compliance, they no longer can afford actual security measures like penetration, testing and scanning for their systems.

"But overall I think FISMA has been good," Hitch said. "It has increased focus on IT security."

He also noted recent breaches like the theft of a Veterans Affairs Department laptop containing personal data on 26.5 million veterans have helped raise the profile of security needs.

"One thing the VA [data loss] did do is get senior management's attention," Hitch said.

He said that while CIOs certainly have "differences" with OMB, he agrees with the agency on one point: "If you can afford to build it, you can afford to build it right."

Hitch said security needs to be built in, and federal agencies must be more proactive in demanding that from vendors. "We need defensive security including things like situational awareness," he said. "Whether it's Oracle, Symantec or Brand 'X', we're going to look for hardened systems that are easier to lock down."

Noting that agencies "spend so much money afterward" fixing vulnerabilities, Hitch said security needs to be addressed "earlier in the supply chain." It requires monitoring what vendors and contractors are building to make sure it is secure, he added.

COMMENTS

• Security is important, so is the ability of the work force to complete their job. This discussion is around Risk Management. If we make it too difficult productivity goes down and job satisfaction suffers. The bad guys will find a way; we can stop them through awareness and other active programs. Sensible guidelines and sever and well published punishment for violations should go a long way towards stopping the casual violator. Why are databases on peoples computers, what is the security on the computers, let’s get smart as organizations and do our jobs. John Posted July 27, 2007 8:07 AM
• Is anyone out there paying any attentuion to what has been goin gon in this arena. the DoD and Civil agencise recently arwarded BPA's to a number of companies to help resolve these issues. With adequate planning and coordination and strong policies this problem can be significantly reduced and/or eliminated. Richard Opp Posted July 20, 2007 4:25 PM
• Thumb drives have become the "sneaker LAN" of today. You put a file on a thumb drive and pass it to somebody, a lot time that is a contractor you work with. So you need an unsecure thumb drive as well as a secure one. My agency has purchased secure thumb drives and is looking at making the data even more secure, but at the "worker bee" level we have stressed we need an unsecure one also. Jim Boyd Posted July 20, 2007 9:38 AM