U.S. Government Mandates Laptop Security
The US government is giving federal civilian agencies just 45 days to comply with new recommendations for laptop encryption and two-factor authentication. The official memo (PDF) from the executive office of the U.S. president stipulates that all mobile devices containing sensitive information must have their data encrypted. The recommendations also say that two-factor authentication must be used for remote access, that remote access must time out after 30 minutes of inactivity, and that all data extracts must be logged. The memo does not detail any specific technology recommendations beyond this broad outline, presumably leaving agencies to decide on their own specific implementations.
The memo follows a wave of high profile data thefts and major security breeches involving remote access or the theft of government laptop computers containing sensitive personal information. Recent incidents involved the theft of 26,000 SSNs and photos at U.S. Department of Agriculture, a laptop containing fingerprints of 291 employees of the Internal Revenue Service, the Energy Department’s loss of 1,500 employee and contractor’s personal records at the National Nuclear Security Administration, a compromise of the identities of 2.2 million active-duly military personnel at the Department of Veteran Affairs, a stolen laptop at the Federal Trade Commission with data on 110 people, the Navy discovered 28,000 personal records one day on a website, and finally, an insurance company employee exposed 17,000 personal Medicare records according to the Department of Health and Human Services.
Five of these seven incidents involved laptop computers without encryption, and the others involved remote access to private systems via the Internet that may have been prevented or made more difficult with two-factor authentication. Click here for more information.