Since 2007 new rules from the Office of Management and Budget (OMB) require all federal laptops to be encrypted but these are largely being ignored. The report warned that many departments had not even begun to identify what data should be encrypted.
“We are recommending that OMB clarify governmentwide encryption policy to address agency efforts to plan for and implement encryption technologies,” said the report.
“We are also making recommendations to selected agencies to properly install and configure FIPS-compliant encryption technologies, to develop policies and procedures to manage encryption, and to provide encryption training to personnel.”
The report highlighted some unusually poor practice, including employees at Nasa refusing to put encryption software on their laptops and members of the Department of Education who weren’t told encryption software was installed so weren’t using it
The report makes 20 recommendations to improve the level of data security in government, including developing large scale education programs and a generic data encryption policy that can be rolled out across agencies.