Breach, Compliance Management, Data Security, Incident Response, Privacy, TDR

D-Day for federal agencies to develop breach polices, evaluate SSN use


Today marks the White House-imposed deadline for federal agencies to develop and implement a breach notification policy and to have reviewed their use of Social Security numbers (SSNs).

A 22-page memo from the Office of Management and Budget, issued in May, requires that agencies develop a notification policy using Federal Information Security Management Act (FISMA) guidelines and other privacy legislation built on the National Institute of Standards and Technology standards.

In addition, agencies must review their use of SSNs in advance of a deadline 14 months away, by which time they must establish a plan for eliminating the unnecessary use and storage of the personal identifiers.

"These are not like rocket-science kind of requirements," Ted Julian, vice president of marketing at database security firm Application Security, told today. "These are good housekeeping security principles that are just getting mandated now, but they should be things those agencies are working on anyway."

Based on the agency findings, the OMB — the White House office responsible for creating the president's annual budget and submitting it for congressional approval — likely will formulate a standardized policy that agencies should follow for reporting breaches, Kevin Richards, federal government relations manager for Symantec, told today.

Federal agencies have faced harsh criticism in recent months over a number of information security lapses in which millions of confidential records were exposed. In April, they scored a collective C-minus on the annual FISMA report card.

"I think the government should be held to a higher standard because, as a citizen, you have no choice but to give your information to them," Richards said. "They should be trusted stewards."

The May memo, which came nearly a year to the day after thieves stole a Department of Veterans Affairs laptop from an employee's home, will spur agencies to be more proactive, said Art Gilliland, senior director of product marketing in Symantec's Information Foundation division.

"There's a lot of technology, as well as a lot of process things in terms of best practices that other industries are doing," he told "Government should be holding itself to a higher standard."

An OMB directive last year recommended agencies deploy encryption on mobile devices and institute two-factor authentication for remote access, Julian said.

A spokeswoman for OMB told today that the office will monitor agency progress on the requirements through the President's Management Agenda scorecard.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.