Some state and local agencies are discovering the financial benefits of the federal SmartBuy encryption program. SmartBuy provides volume discount pricing on software approved by the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2 Cryptomodule Validation Program.
The Office of Management and Budget, General Services Administration and Defense Department awarded SmartBuy blanket purchase agreements last year to 10 encryption vendor teams. The companies’ products protect sensitive, unclassified data on government laptop PCs, other mobile computing devices and removable storage media.
In some cases, vendors allow small state and local agencies to pay the same volume discount prices negotiated for larger federal agencies.
For example, Connecticut used the program to purchase $381,000 worth of encryption software. Without SmartBuy’s discounts, the state would have had to pay $8.5 million more for the same software, said Tom Kireilis, who oversees SmartBuy as director of strategic solutions at GSA’s Federal Acquisition Service.
To date, 15 state and local agencies have purchased 127,296 encryption software licenses through SmartBuy, saving them more than $32 million, according to OMB.
— Mary Mosquera
When a laptop PC with unencrypted data was stolen from the car of a National Institutes of Health researcher earlier this year, it was evidence that agencies continue to expose people’s data to theft two years after the Veterans Affairs Department’s dramatic security breach.
The NIH incident showed that some agencies still lag in implementing the Office of Management and Budget’s policy for securing laptops and other mobile computing devices to prevent unauthorized access to personal data stored on them. The stolen NIH laptop contained 3,000 medical-research participants’ personal data, including medical records and Social Security numbers belonging to 1,200 of them.
Agencies trying to meet OMB’s data encryption mandate are struggling in the face of limited resources, internal resistance to change and the challenge of applying uniform standards in organizations where various nonstandard encryption solutions are already deployed, said Ed Meagher, deputy chief information officer at the Interior Department.
Encryption software scrambles stored data so that only an authorized user can access it. However, its use is only one of several requirements that OMB mandated in 2006 to protect mobile data. OMB’s policy memo also required the use of automatic timeout functions, two-factor user authentication for remote access to data and the logging of data extracts when they contain personal data. Agencies must also erase personal data within 90 days unless they certify a need to retain it longer.
“We’re making up for decades of inattention to security, and now we’re trying to catch up very quickly, and it’s not pretty,” Meagher said.
Meagher endorses OMB’s multilayered approach to securing data on mobile devices as necessary medicine. A single requirement, such as mandatory encryption, would not sufficiently reduce security risks, and it might even shift the risk elsewhere, he said. But the logic behind OMB’s policy doesn’t make meeting the new requirements any easier.
“To the end user, it looks like it’s all coming at once, and for reasons that they may not understand or accept, you’re upsetting the normal course of things,” Meagher said.
Digg
De.licio.us
Slashdot
Technorati
