Government urged to standardize data encryption standards

Some people are hoping the new year brings a new level of agreement on encryption standards used by federal agencies. Vendors are awaiting a request for proposals from the Homeland Security Department on encryption standards.

Encryption is seen by many as a way federal agencies can better protect sensitive data, but the existence of so many types of encryption and services has meant that the purpose and ability to read them can easily get lost.

"It's like one hand clapping," said Jim Russell with Symantec's public-sector education department. "We need one single encryption tool that incorporates multiple vendors."

He will be both advocating and applauding any movement toward encryption standards, but it could be a slow process.

Chief information officers, including Vance Hitch at the Justice Department, have said complying with directives by the White House Office and Management and Budget to encrypt all sensitive data leaving his department is a challenge because of differences among federal agencies, which currently use competing software and vendors.

At security conferences last fall, federal CIOs said the problem is that when employees see encryption or other security steps as too slow or too much of an obstacle to doing their jobs, they become more likely to break the rules.

The Government Accountability Office repeatedly has criticized federal entities, including the Internal Revenue Service in a report this week, for not following their own rules that require sensitive data to be encrypted.

GAO praised the IRS for better controlling user IDs on critical servers, building security into new applications and encrypting data. But the watchdog also found that the agency didn't always enforce password management or encrypt sensitive data.

A main reason that about 70 percent of the cyber-security upgrades remain undone is that the IRS is part way through implementing an agency-wide security program, according to the report. The fiscal 2008 budget provides $267 million for the upgrades.

On another security front, GAO has recommended Homeland Security do a better job securing online electric-control systems and sharing vulnerabilities of the systems. Additional steps may be around the corner for that.

Because private companies control the power grid, Homeland Security has been relying on the Federal Energy Regulatory Commission to recommend how to better protect the power grid from cyber attacks. FERC in turn has relied on voluntary standards developed by the Northern American Electric Reliability Corporation.

NAERC issued a report on its latest guidelines this week and is requesting comments. But at a hearing last fall, Rep. Al Green, D-Texas, wanted something with teeth. He has asked FERC's new director, Joseph McClelland, to determine whether FERC needs Congress to grant legal authority to mandate that electric companies implement best cyber-security practices.

McClelland told the House Homeland Security cyber-security panel that he does not think FERC has any enforcement authority over private companies on the matter.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • The Big Data Campaign Trail

    With everyone so focused on security following recent breaches at federal, state and local government and education institutions, there has been little emphasis on the need for better operations. This report breaks down some of the biggest operational challenges in IT management and provides insight into how agencies and leaders can successfully solve some of the biggest lingering government IT issues.

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care


When you download a report, your information may be shared with the underwriters of that document.