A memo sent out by OMB Deputy Director Clay Johnson III last week lays out a number of concrete recommendations for agencies to follow in order to better protect U.S. citizen’s private information held on government systems.
The missive is a firm reminder from the government overseers at OMB that information security must be improved to protect citizens—particularly after the public fallout fallowing the loss of millions of VA records.
Though the memo’s recommended steps aren’t mandated regulation, the memo stated that it will work with its inspectors to ensure agencies are complying by the deadline.
"We intend to work with the inspectors general community to review these items as well as the checklist to ensure we are properly safeguarding the information the American taxpayer has entrusted to us," Johnson said in the memo.
The memo states that agencies should be using the National Institute of Standards and Technology (NIST) security checklist as a baseline for security practices.
In addition, it outlined four other steps that agencies will need to take to protect their systems. First on that list is encryption for all data unless it is deemed not-sensitive, in writing, by a department head.
Additionally, the OMB expects agencies to use two-factor authentication for remote users, where one factor requires some kind of separate device for identity confirmation. In addition to this, these users will need to re-authenticate after 30 minutes of inactivity on their mobile devices.
Finally, the memo stated that all computer-readable data extracts from databases must be logged and that these extracts need to be verified as erased after 90 days unless their use is still required.
Johnson acknowledged that most agencies are already following these steps, but that he expects everyone to follow suit within the month-and-a-half timeframe.