Closing the Loop

Agencies still struggle to hold on to sensitive data.

Losing 26.5 million personal records when a Veterans Affairs Department laptop was stolen in May 2006 should have been a wake-up call for federal agencies. It was an unprecedented loss of personal information-on active-duty military personnel and veterans-and it prompted an Office of Management and Budget mandate in June 2006 requiring agencies to launch new security procedures by Aug. 7, 2006.

But by all accounts, agencies have failed to comply fully with the order. Indeed, nine months after VA's massive data breach, the agency lost another hard drive, this one containing sensitive information on physicians who have submitted bills to Medicare and Medicaid. Medical data on 535,000 VA patients was included in the hard drive that went missing from a Birmingham, Ala., facility. Dozens of agencies have lost sensitive information.

Some agencies say they lack money to secure their electronic records, but critics disagree. Like homeland security funding after the Sept. 11 terrorist attacks, money for data security has increased steadily. In fiscal 2006, agencies received $5.5 billion for cybersecurity-nearly 10 percent of the entire information technology budget. Agencies have yet to break down their IT security funding for fiscal 2007 and fiscal 2008, but security experts don't believe the percentage will shrink.

Agencies that haven't promised to pony up bigger dollar amounts for cybersecurity are encouraged to hold back on new projects to fund that critical need, according to Karen Evans, OMB administrator of e-government and information technology. Agencies are supposed to "live, eat and breathe" cybersecurity, she says. In a March 20 memorandum to chief information officers, Evans required agencies to move to a standard desktop configuration for Windows operating systems. The standard is supposed to speed up the installation of security updates. But some security experts, including Purdue University Professor Eugene Spafford, say a standard configuration could make computers more vulnerable. Some operating systems and applications lack security controls, he says.

OMB's mandate urges agencies to encrypt data on remote computers and permit access only with two modes of authentication. But implementation has been spotty. An October 2006 report by the President's Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency found that three-quarters of all agencies still are trying to assess the vulnerability of the personal information they manage.

Developing enforceable policies on the use of sensitive information remains a challenge, the report says. Agencies also have had difficulties safeguarding their systems, the report says, adding that systematically enforcing computer encryption is critical.

Critics say the new OMB guidelines fail to address conflicting goals. For one thing, it's not in the best interest of federal employees to create a culture of cybersecurity awareness, says Eric Hay, worldwide director of field engineers for Credant Technologies Inc., a Dallas-based mobile data security firm. Clamping down on information can make it difficult for employees to do their jobs when they are in the field or working across agency lines. Organizations evaluate staff performance on productivity, not security, Hay says. Employees are going to choose productivity over security, he says, so "don't let them make the choice."

Scott McNealy, chairman of the board for Sun Microsystems, says government isn't fully adopting readily available information security technology. His solution is to remove data from individual computers and store it on a mainframe server, where it is available for downloads. That way, should someone steal a laptop or other computer device, the data isn't on the hard drive. "I haven't stolen anything . . . there's no data," he says.

Despite movement toward establishing safeguards, the challenge of protecting sensitive data continues to elude agencies, security experts say. Many fear that if agencies don't work faster to tighten controls, the personal information held in their databases could go walking out the door at anytime.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.


When you download a report, your information may be shared with the underwriters of that document.