Today marks the White House-imposed deadline for federal agencies to develop and implement a breach notification policy and to have reviewed their use of Social Security numbers (SSNs).
A 22-page memo from the Office of Management and Budget, issued in May, requires that agencies develop a notification policy using Federal Information Security Management Act (FISMA) guidelines and other privacy legislation built on the National Institute of Standards and Technology standards.
In addition, agencies must review their use of SSNs in advance of a deadline 14 months away, by which time they must establish a plan for eliminating the unnecessary use and storage of the personal identifiers.
"These are not like rocket-science kind of requirements," Ted Julian, vice president of marketing at database security firm Application Security, told SCMagazineUS.com today. "These are good housekeeping security principles that are just getting mandated now, but they should be things those agencies are working on anyway."
Based on the agency findings, the OMB — the White House office responsible for creating the president's annual budget and submitting it for congressional approval — likely will formulate a standardized policy that agencies should follow for reporting breaches, Kevin Richards, federal government relations manager for Symantec, told SCMagazineUS.com today.
Federal agencies have faced harsh criticism in recent months over a number of information security lapses in which millions of confidential records were exposed. In April, they scored a collective C-minus on the annual FISMA report card.
"I think the government should be held to a higher standard because, as a citizen, you have no choice but to give your information to them," Richards said. "They should be trusted stewards."
The May memo, which came nearly a year to the day after thieves stole a Department of Veterans Affairs laptop from an employee's home, will spur agencies to be more proactive, said Art Gilliland, senior director of product marketing in Symantec's Information Foundation division.
"There's a lot of technology, as well as a lot of process things in terms of best practices that other industries are doing," he told SCMagazineUS.com. "Government should be holding itself to a higher standard."
An OMB directive last year recommended agencies deploy encryption on mobile devices and institute two-factor authentication for remote access, Julian said.
A spokeswoman for OMB told SCMagazineUS.com today that the office will monitor agency progress on the requirements through the President's Management Agenda scorecard.