The report, "Information Security: Protecting Personally IdentifiableInformation," was spurred on by the major security breach at theDepartment of Veterans Affairs (VA) in 2006, when a laptopcontaining the names, Social Security numbers and other personalinformation of millions of veterans was stolen.
Sen. Norm Coleman, R-Minn., and Rep. Susan Davis, D-Calif., requestedthat GAO identify federal laws already in place and to investigate anddescribe the state of IT security compliance of 24 federal agencies.
GAO recommendations included encrypting data on mobile computers andother devices that carry agency data, and using a National Institute ofStandards and Technology (NIST) checklist to properly categorize anydata deemedpersonally identifiable information that is accessed remotely orphysically transported outside the agency.
Only two agencies – Treasury and Transportation – meet all therecommendations for compliance, while two others – Small BusinessAdministration and National Science Foundation – met none, the GAOreport said. The other 20 agencies comply to some but not all of theGAO report's recommendations for better security and privacy.
The VA does not yet fully comply with all the GAO recommendations, butis working to improve its security, a VA spokesman told SCMagazineUS.comTuesday.
"VA is committed to ensuring the personal information of our veteransis secured,” said Matt Smith, a department spokesman. “We arecontinually enhancing our protections and welcome opportunities toimprove."
While John Dasher, director of product management at encryptionprovider PGP, said he applauds the GAO for highlighting the need formore agency security, he believes the report and subsequent actionsfall short.
“There is no real plan behind the report,” he told SCMagazineUS.comThursday. “It talks about encryption, which is a good thing, but anenforceable policy is necessary. If you put rules in place, you need totake action to make sure people follow those rules.”
A representative from the federal Office of Management and Budget,which has released two memos mandating federal agencies implement datasecurity safeguards and breach notification protocols, did not respondto a request for comment.