Mobility of federal workers hinders data security
Recent Office of Management and Budget directive will require encryption of all sensitive data, whether it is being used or is at rest.
As the federal workforce becomes more mobile, a growing challenge for agency chief information officers is how to encrypt information and share it, according to the Justice Department's chief information officer.
Vance Hitch spoke Thursday to information technology contractors at a government symposium organized by Symantec. "Thumb drives are everywhere, and we have to encrypt them," Hitch said. "We're supposed to figure out how to have the data on them expire after 90 days."
Hitch said a recent White House Office of Management and Budget directive will require encryption of all sensitive data leaving his department, whether the information is being used or is at rest. "This creates challenges with how to do encryption-sharing across agencies," Hitch said.
He said part of the challenge is that agencies and departments have different encryption software and vendors. Another challenge is how to extract data and control who can make copies of data.
Hitch said some CIOs complain about the costs of compliance with the Federal Information Security Management Act, which established standards and guidelines for cyber security at government agencies. He said some say that after spending money on compliance, they no longer can afford actual security measures like penetration, testing and scanning for their systems.
"But overall I think FISMA has been good," Hitch said. "It has increased focus on IT security."
He also noted recent breaches like the theft of a Veterans Affairs Department laptop containing personal data on 26.5 million veterans have helped raise the profile of security needs.
"One thing the VA [data loss] did do is get senior management's attention," Hitch said.
He said that while CIOs certainly have "differences" with OMB, he agrees with the agency on one point: "If you can afford to build it, you can afford to build it right."
Hitch said security needs to be built in, and federal agencies must be more proactive in demanding that from vendors. "We need defensive security including things like situational awareness," he said. "Whether it's Oracle, Symantec or Brand 'X', we're going to look for hardened systems that are easier to lock down."
Noting that agencies "spend so much money afterward" fixing vulnerabilities, Hitch said security needs to be addressed "earlier in the supply chain." It requires monitoring what vendors and contractors are building to make sure it is secure, he added.