OMB 06-16 Three Years Later: The Hidden Cybersecurity Risks of Not Complying with the President’s Remote Data Encryption Mandate
By Earl Hicks Jr.
One of my key responsibilities as a Department of Justice (DOJ) security official was to ensure the constant protection of sensitive information. Security incidents such as the stolen laptop from a Department of Veterans Affairs employee in 2006 that exposed personal information of 26.5 million veterans and military personnel left a serious and lasting impression on me. Later that same year, the President’s Office of Management and Budget issued Memorandum 06-16 (OMB 06-16), the remote data encryption mandate, to better protect the flow of information carried in and out of federal government agencies. My immediate reaction to the mandate was to implement a policy that required encrypted removable media to be used when carrying sensitive but unclassified (SBU) data outside any of our offices. I anticipated a long-term effort to effectively secure in-the-field government security operations. However, I didn’t expect that we’d still be grappling with this issue more than three years later.
The premise of OMB 06-16 is to protect sensitive data collected, stored, and carried on removable media. While a majority of government agencies process data inside offices and on their own IT networks with robust system-wide encryption programs, many legal and investigative employees conduct interviews and collect information in the field where network and server-based encryption programs are not enabled. To ensure secure data storage during these field operations, it is OMB 06-16 that requires the use of mobile devices protected with a level of encryption described in the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-2.
Because of widely publicized incidents, laptops have received the lion’s share of attention. However, a more pressing vulnerability is the common use of CDs, DVDs and flash drives which can store 10 times the amount of data on a laptop. We’re not simply talking about the equivalent of losing a couple of file cabinets-worth of documents, but rather full file cabinets that fill several rooms. To achieve compliance with OMB 06-16, many agencies utilize NIST’s list of approved flash drives. The challenge is that FIPS 140-2 encrypted flash drives are expensive and many are not compatible with more than one computer or more than one user.
Another challenge in the remote data encryption mandate involves the requirement to share sensitive information with contract companies using IT networks outside the secure, government environment. One such mission critical task is the completion of legal transcriptions for federal litigators and criminal investigators. Each year there are more than 300,000 legal cases filed in federal courts that generate millions of pieces of testimony and verbal accounts provided by suspects, experts, and witnesses. Many of these items are collected in the field by attorneys, criminal investigators, and special agents and are then sent unencrypted through the mail and over the open internet to commercial transcriptionists working under government contracts.
One of my challenges at DOJ was to ensure our legal transcriptions were processed by contract companies operating in compliance with all federal IT security regulations. Unfortunately, none of the commercial transcription companies had the capabilities or technology required to comply with OMB 06-16 and other restrictive federal information system security policies. As a result, legal transcripts were being processed and stored on unencrypted computers and transmitted over the open Internet.
In an effort to achieve compliance while supporting the ongoing missions of their agencies, federal legal and criminal investigative offices have come up with two commonly used ways to complete this mission critical task. The first option is to bring contract transcriptionists into government offices to complete this work on government computer equipment. A second, and more widely used, option is to request CIOs to sign waivers of the IT security policies and assume the risk of losing the SBU data as a means to support the ongoing mission critical needs of the agencies. With no alternative, the very same SBU data the federal government spends billions of dollars to protect is allowed to be transmitted to and processed by contractors with little to no IT security protections in place.
Both of the options presented above obviously present undesirable implications. With limited resources and work space, the practice of having contractors work within federal offices decreases the productivity of federal employees as they must give up their own workspace and equipment. Alternatively, asking CIOs for waivers to bypass essential IT security policies compromises the integrity of SBU data.
Ultimately, the information security best practices that OMB 06-16 set out to achieve are imperative to the protection of the SBU data that must be transported in and out of government facilities every day. In the instance of legal transcriptions, sensitive data that could identify protected witnesses, undercover agents and sensitive government operations could impact our nation’s security and lead to physical harm, or death, if disclosed to unauthorized individuals. CIOs, procurement officers and internal investigators should re-evaluate their suppliers’ use of government data to ensure it is not exposed to undue risk. While there has, thankfully, not yet been a worst-case scenario to force government agencies to take corrective actions, it is only a matter of time.
Earl Hicks Jr. is a former Director of Security Programs for the Department of Justice Office of the Inspector General and the CEO and Founder of LegaLock Secure Transcriptions (www.legalocksolutions.com).