OMB releases guidelines for data security

The Office of Management and Budget issued new security "guidelines" (PDF) to prevent data breaches today, after a month of revelations of shoddy treatment of personal information at the hands of government employees, the Washington Post reports.

Agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. For access to sensitive data on servers, employees need a physical security device like a key card - plus a password. And agencies must keep records of information downloaded from databases and delete those records within 90 days unless their use is still requied.

While OMB is giving agencies 45 days to get the measures in place and will use agency inspectors general will help ensure compliance, the White House was very careful to call the regulations "recommendations" not "requirements," the Post said. OMB said they intended "to compensate for the protections offered by the physical security controls when information is removed from, or accessed from outside of the agency location."

That careful distinction indicates that the administration is under pressure to respond to the recent string of data mishaps, but that it could not quickly pull all the political and financial strings usually tied to regulatory mandates, according to James Lewis, director of technology and public policy at the Center for Strategic and International Studies.

"The encryption and authentication measures mean agencies are going to have to spend money that they weren't planning to spend, and so in that way it's probably easier for [OMB] to get a recommendation out than [a] command," Lewis said. "That said, this is more of an implied threat, because you usually don't threaten agencies with their inspector general unless you intend to lean on them."

The moves are "excellent," said the security firm SANS Institute. But there is a dark cloud to the silver lining, said SANS' Alan Paller. The memo includes a nine-page attachment from the National Institutes of Standards and Technology (NIST) that requires agencies to spend a lot of time and tens of thousands of dollars in studies to figure out what to do next," Paller said.

The guidelines had better work, suggested House Government Reform Committee Chairman Thomas M. Davis III (R-Va.): "[I]f not, perhaps Congress will have to step in and mandate specific security requirements," Davis said in a statement.