The Government Accountability Office slammed the Bush administration in a report released July 29 saying 70 percent of laptops, notebook PCs and mobile devices used by federal agencies in the executive branch are not encrypted or secure.
The GAO report comes more than two years after the Department of Veterans Affairs reported a laptop stolen and the names and Social Security numbers of 26 million veterans were exposed, in the second-largest data breach on record. Today only 30 percent of federal agency laptops and mobile devices are using encryption to protect data, according to the report (PDF).
At a request by Congress, the GAO studied encryption efforts at 24 major federal agencies and found that 70 percent of them had not yet installed encryption technology to protect sensitive information. In addition, the GAO reported widespread uncertainty among the agencies about encryption requirements, particularly regarding portable media. The report covered July to September of 2007.
"As a result, federal information may remain at increased risk of unauthorized disclosure, loss and modification," the GAO reported.
The OMB (Office of Management and Budget) has policy in place requiring federal agencies to encrypt all data on mobile computers and devices that carry agency data and use products that have been approved by the NIST (National Institute of Standards and Technology) cryptographic validation program.
Additionally, NIST guidance recommends that agencies adequately plan for the selection, installation, configuration and management of encryption technologies.
"While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities such as installing and configuring appropriate technologies in accordance with federal guidelines, developing and documenting policies and procedures for managing encryption technologies, and training users," the GAO said.
The GAO report comes after a series of embarrassing security gaffes by federal agencies that began with a VA employee violating agency policy by taking home a laptop that contained personal data on more than 26 million veterans. The laptop was subsequently stolen in a home burglary.
Law enforcement officials eventually recovered the laptop and the FBI and the VA Office of the Inspector General ultimately determined that the thief had not compromised the data on the laptop. The Navy, the Department of Agriculture and the Department of Commerce later reported security breaches of their own.
"Encryption is not an option, it is a mandate," U.S. House Committee on Homeland Security Chairman Bennie Thompson, D-Miss., said in a statement. "Unfortunately, I'm not surprised that despite mandates by OMB, the federal government is only 30 percent of the way there. This administration regularly falls short when it comes to addressing our information security weaknesses."
Rep. Zoe Lofgren, D-Calif., also issued a statement expressing disappointment at the state of the government's efforts to secure data.
"The GAO report clearly illustrates that federal agencies lag far behind the private sector in protecting and encrypting data," Lofgren said. "As one of Silicon Valley's elected representatives, I'm concerned that our government is not moving fast enough in its efforts to secure its systems and procedures. While we've seen some improvement, the executive branch still has quite a way to go to secure its systems and data."