Government urged to standardize data encryption standards

Some people are hoping the new year brings a new level of agreement on encryption standards used by federal agencies. Vendors are awaiting a request for proposals from the Homeland Security Department on encryption standards.

Encryption is seen by many as a way federal agencies can better protect sensitive data, but the existence of so many types of encryption and services has meant that the purpose and ability to read them can easily get lost.

"It's like one hand clapping," said Jim Russell with Symantec's public-sector education department. "We need one single encryption tool that incorporates multiple vendors."

He will be both advocating and applauding any movement toward encryption standards, but it could be a slow process.

Chief information officers, including Vance Hitch at the Justice Department, have said complying with directives by the White House Office and Management and Budget to encrypt all sensitive data leaving his department is a challenge because of differences among federal agencies, which currently use competing software and vendors.

At security conferences last fall, federal CIOs said the problem is that when employees see encryption or other security steps as too slow or too much of an obstacle to doing their jobs, they become more likely to break the rules.

The Government Accountability Office repeatedly has criticized federal entities, including the Internal Revenue Service in a report this week, for not following their own rules that require sensitive data to be encrypted.

GAO praised the IRS for better controlling user IDs on critical servers, building security into new applications and encrypting data. But the watchdog also found that the agency didn't always enforce password management or encrypt sensitive data.

A main reason that about 70 percent of the cyber-security upgrades remain undone is that the IRS is part way through implementing an agency-wide security program, according to the report. The fiscal 2008 budget provides $267 million for the upgrades.

On another security front, GAO has recommended Homeland Security do a better job securing online electric-control systems and sharing vulnerabilities of the systems. Additional steps may be around the corner for that.

Because private companies control the power grid, Homeland Security has been relying on the Federal Energy Regulatory Commission to recommend how to better protect the power grid from cyber attacks. FERC in turn has relied on voluntary standards developed by the Northern American Electric Reliability Corporation.

NAERC issued a report on its latest guidelines this week and is requesting comments. But at a hearing last fall, Rep. Al Green, D-Texas, wanted something with teeth. He has asked FERC's new director, Joseph McClelland, to determine whether FERC needs Congress to grant legal authority to mandate that electric companies implement best cyber-security practices.

McClelland told the House Homeland Security cyber-security panel that he does not think FERC has any enforcement authority over private companies on the matter.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.