Government urged to standardize data encryption standards

Some people are hoping the new year brings a new level of agreement on encryption standards used by federal agencies. Vendors are awaiting a request for proposals from the Homeland Security Department on encryption standards.

Encryption is seen by many as a way federal agencies can better protect sensitive data, but the existence of so many types of encryption and services has meant that the purpose and ability to read them can easily get lost.

"It's like one hand clapping," said Jim Russell with Symantec's public-sector education department. "We need one single encryption tool that incorporates multiple vendors."

He will be both advocating and applauding any movement toward encryption standards, but it could be a slow process.

Chief information officers, including Vance Hitch at the Justice Department, have said complying with directives by the White House Office and Management and Budget to encrypt all sensitive data leaving his department is a challenge because of differences among federal agencies, which currently use competing software and vendors.

At security conferences last fall, federal CIOs said the problem is that when employees see encryption or other security steps as too slow or too much of an obstacle to doing their jobs, they become more likely to break the rules.

The Government Accountability Office repeatedly has criticized federal entities, including the Internal Revenue Service in a report this week, for not following their own rules that require sensitive data to be encrypted.

GAO praised the IRS for better controlling user IDs on critical servers, building security into new applications and encrypting data. But the watchdog also found that the agency didn't always enforce password management or encrypt sensitive data.

A main reason that about 70 percent of the cyber-security upgrades remain undone is that the IRS is part way through implementing an agency-wide security program, according to the report. The fiscal 2008 budget provides $267 million for the upgrades.

On another security front, GAO has recommended Homeland Security do a better job securing online electric-control systems and sharing vulnerabilities of the systems. Additional steps may be around the corner for that.

Because private companies control the power grid, Homeland Security has been relying on the Federal Energy Regulatory Commission to recommend how to better protect the power grid from cyber attacks. FERC in turn has relied on voluntary standards developed by the Northern American Electric Reliability Corporation.

NAERC issued a report on its latest guidelines this week and is requesting comments. But at a hearing last fall, Rep. Al Green, D-Texas, wanted something with teeth. He has asked FERC's new director, Joseph McClelland, to determine whether FERC needs Congress to grant legal authority to mandate that electric companies implement best cyber-security practices.

McClelland told the House Homeland Security cyber-security panel that he does not think FERC has any enforcement authority over private companies on the matter.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.


When you download a report, your information may be shared with the underwriters of that document.