Feds Mandate Laptop Security

The Bush administration is giving federal civilian agencies 45 days to comply with new recommendations to secure laptop computers with encryption and two-factor authentication, SecurityFocus.com reports.

The article references a memo following a wave of high-profile data losses at government agencies. The memo, from the executive office of the U.S. president, says all mobile devices with sensitive information must have their data encrypted.

SecurityFocus.com reports the memo indicates that two-factor authentication must be used for remote access, remote access must time out after 30 minutes of inactivity, and all data extracts must be logged. The memo does not detail any specific technology recommendations beyond this broad outline, presumably leaving agencies to decide on their own specific implementations.

The article also cites recent incidents involving the theft of 26,000 Social Security numbers and photos at U.S. Department of Agriculture, a laptop containing fingerprints of 291 Internal Revenue Service workers, the Energy Department’s loss of 1,500 employees’ and contractors’ personal records at the National Nuclear Security Administration, a compromise of the identities of 2.2 million active-duty military personnel at the Department of Veterans Affairs, a stolen laptop at the Federal Trade Commission with information on 110 people, the Navy’s discovery of 28,000 personal records on a website, and an insurance company worker who exposed 17,000 Medicare records, according to the Department of Health and Human Services.

According to SecurityFocus.com, five of these seven incidents involved laptop computers without encryption, and the others involved remote access to private systems via the Internet that may have been prevented or made more difficult with two-factor authentication.

Compiled by Paul Kerstein

For more information, read Data Breach at the VA.

Keep checking in at our Security Feed for updated news coverage.

Or subscribe via RSS.