Defense, GSA lead way on encryption technology

The federal government is embracing new forms of encryption technology to safeguard private and other sensitive information stored on laptops and thumb drives.

The Defense Department and General Services Administration on Tuesday announced a partnership to purchase the latest in data-at-rest technology to address the agencies' data encryption needs. According to a press release, the Data-At-Rest Tiger Team (DARTT) was able to secure $73 million in data-at-rest products for only $15 million. Data-at-rest refers to information that has been downloaded and is sitting statically on devices like thumb drives, BlackBerrys and laptops not connected to the network.

Tom Kireilis, director of the strategic solutions division at GSA's Federal Acquisition Service, said the two agencies have been working on this for about a year, shortly after a rash of laptop thefts. "The news on the missing laptops came in late 2006; agencies were really in a crunch to do something to stop that threat," said Kireilis. "This technology was an obvious solution to that. We also thought a unified governmental approach was the best way."

In 2006, hundreds of laptops containing sensitive personal information were stolen from the Commerce Department and several other agencies. Since then, the administration has been under pressure to improve its data security practices. In response, the Office of Management and Budget issued a memorandum requiring all agencies to encrypt all data deemed "sensitive" on mobile devices.

The $15 million price tag is the result of a blanket purchase agreement between vendors and GSA and Defense. Kireilis said they received more than 30 proposals. Of those, they chose 11 from 10 different providers. From there, the agencies negotiated very aggressive pricing below what's normally available. According to Kireilis, this particular agreement is open to cooperative purchasing, which means that state and local governments are able to buy off it. State and local budgets often are a lot tighter than those at the federal level, so the cost ranges are attractive to those groups.

Kireilis said GSA tries to combine requirements from several agencies. "Say an agency was going to purchase 50,000 licenses for a product; if we can aggregate a few other agencies, now the company is selling a few hundred thousand products, so they are willing to dig deeper [and lower the price]."

Implementing the software was rather straightforward, says Kireilis. "There are two types of encryption; full disk encrypts the entire disk and is very intensive," he said. "File encryption just encrypts the individual files that hold sensitive data. Decisions have to be made at the agency level if the data is such that everything has to be encrypted." Kireilis added that data encryption is a problem at every agency. "With these laptops, thumb drives and phones, you walk away and forget your data. They are extremely easy to leave behind."

Agencies eventually will have to implement the technology on their own, Kireilis said.