OMB steps up data security reporting requirements

By Daniel Pulliam

July 14, 2006

In an effort to improve the federal response to data breaches putting personal information such as Social Security numbers at risk, the Office of Management and Budget is eliminating the distinction between suspected and confirmed breaches for reporting purposes.

In a July 12 memorandum, Karen Evans, administrator of OMB's Electronic Government and Information Technology division, said that agency chief information officers should not hold back reporting suspected breaches, both electronic and physical, to the Homeland Security Department's computer emergency readiness team, known as US-CERT.

The memo says that all security incidents involving such information must be reported within an hour. US-CERT reporting guidelines for federal agencies already require reporting within one hour for any incidents involving unauthorized electronic or physical access to federal systems or data.

In the case of the early May Veterans Affairs Department data breach, it took weeks for senior officials within the agency to take notice of the incident, partially because officials had not confirmed that the personal information of 26.5 million people contained on the stolen computer equipment actually had been compromised.

An agency now will have to report incidents of improper usage, such as an employee violating policies on handling sensitive data, within an hour. Previously, the requirement was one week.

Federal agencies have disclosed a rash of data breaches of late. In addition to the VA situation, those include incidents at the Navy, affecting more than 125,000 personnel and their families; the Agriculture Department, affecting 26,000 employees; the Health and Human Services Department, affecting 17,000 Medicare recipients; the Defense Department, affecting 14,000 employees; the Energy Department, affecting 1,500 employees; the Social Security Administration, affecting 200 workers; the Internal Revenue Service, affecting nearly 300 employees; and the Government Accountability Office, affecting 1,000 people.

Alan Paller, director of research at the SANS Institute in Bethesda, Md., a nonprofit cybersecurity research organization, said the new OMB requirement may increase the speed of reporting, but not the amount.

"There is so much pain involved, that unless somebody internally is going to blow the whistle on you, the agencies are not going to talk about it," Paller said. "The guy at fault usually doesn't want to tell his boss, and if his boss finds out about it, he doesn't want to tell anybody."

The memo also reiterates requirements established in February 2000 for detailing security funding in information technology budgets.

In addition to those requirements, the memo asks agencies to provide additional details on resources they devote to fixing security weaknesses, as part of their fiscal 2008 budget requests. Agencies with substantial weaknesses will need to identify specific funds for fixing those vulnerabilities.

John Pescatore, vice president for Internet security at Gartner Inc., an information technology research and advisory firm based in Stamford, Conn., said by distinguishing between suspected and confirmed breaches, the memo will keep agencies from hiding the fact that a breach occurred.

"If you lost the hard drive, the incident happened, and you can't just say that we don't know whether somebody looked at the data or not," Pescatore said.

He said requirements that agencies incorporate IT security funding into their new projects did not help six years ago, and are unlikely to make much of a difference now.

"Have they ever stopped a procurement because IT security funding wasn't built into an existing project?" Pescatore said. "I think it was sort of a bureaucratic reaction to send out memos and make it seem [like there was] more action."

In response to the rash of data breaches, House Government Reform Committee Chairman Tom Davis, R-Va., and the committee's ranking member, Henry Waxman, D-Calif., sent letters this week to all Cabinet agencies as well as to the Office of Personnel Management and the Social Security Administration, asking for information on any "loss or compromise of sensitive personal information" since Jan. 1, 2003.

Also, the Aug 7 deadline for complying with a previous OMB memo directing agencies to encrypt all data on mobile devices carrying sensitive information, among other recommendations, is approaching.

By Daniel Pulliam

July 14, 2006