Summary
Many federal operations are supported by automated systems that may contain sensitive information such as national security information that, if lost or stolen, could be disclosed for improper purposes. Compromises of sensitive information at numerous federal agencies have raised concerns about the extent to which such information is vulnerable. The use of technological controls such as encryption--the process of changing plaintext into ciphertext--can help guard against the unauthorized disclosure of sensitive information. GAO was asked to determine (1) how commercially available encryption technologies can help agencies protect sensitive information and reduce risks; (2) the federal laws, policies, and guidance for using encryption technologies; and (3) the extent to which agencies have implemented, or plan to implement, encryption technologies. To address these objectives, GAO identified and evaluated commercially available encryption technologies, reviewed relevant laws and guidance, and surveyed 24 major federal agencies.
Commercially available encryption technologies can help federal agencies protect sensitive information that is stored on mobile computers and devices (such as laptop computers, handheld devices such as personal digital assistants, and portable media such as flash drives and CD-ROMs) as well as information that is transmitted over wired or wireless networks by reducing the risks of its unauthorized disclosure and modification. For example, information stored in individual files, folders, or entire hard drives can be encrypted. Encryption technologies can also be used to establish secure communication paths for protecting data transmitted over networks. While many products to encrypt data exist, implementing them incorrectly------such as failing to properly configure the product, secure encryption keys, or train users------can result in a false sense of security and render data permanently inaccessible. Key laws frame practices for information protection, while federal policies and guidance address the use of encryption. The Federal Information Security Management Act of 2002 mandates that agencies implement information security programs to protect agency information and systems. In addition, other laws provide guidance and direction for protecting specific types of information, including agency-specific information. For example, the Privacy Act of 1974 requires that agencies adequately protect personal information, and the Health Insurance Portability and Accountability Act of 1996 requires additional protections for sensitive health care information. The Office of Management and Budget has issued policy requiring federal agencies to encrypt all data on mobile computers and devices that carry agency data and use products that have been approved by the National Institute for Standards and Technology (NIST) cryptographic validation program. Further, NIST guidance recommends that agencies adequately plan for the selection, installation, configuration, and management of encryption technologies. The extent to which 24 major federal agencies reported that they have implemented encryption and developed plans to implement encryption of sensitive information varied across agencies. From July through September 2007, the major agencies collectively reported that they had not yet installed encryption technology to protect sensitive information on about 70 percent of their laptop computers and handheld devices. Additionally, agencies reported uncertainty regarding the applicability of OMB's encryption requirements for mobile devices, specifically portable media. While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities such as installing and configuring appropriate technologies in accordance with federal guidelines, developing and documenting policies and procedures for managing encryption technologies, and training users. As a result federal information may remain at increased risk of unauthorized disclosure, loss, and modification.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6244
Recommendations for Executive Action
Recommendation: To assist agencies with effectively planning for and implementing encryption technologies to protect sensitive information, the Director of the Office of Management and Budget should clarify governmentwide policy requiring agencies to encrypt sensitive agency data through the promulgation of additional guidance and/or through educational activities.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist agencies with effectively planning for and implementing encryption technologies to protect sensitive information, the Director of the Office of Management and Budget should monitor the effectiveness of the agencies' encryption implementation plans and efforts to inventory the sensitive information they hold.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the Department of Agriculture as it continues to deploy its departmentwide encryption solutions and to improve the life cycle management of encryption technologies, the Secretary of Agriculture should direct the chief information officer to establish and implement a mechanism to monitor the successful installation and effective functioning of encryption products installed on devices.
Agency Affected: Department of Agriculture
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the Department of Agriculture as it continues to deploy its departmentwide encryption solutions and to improve the life cycle management of encryption technologies, the Secretary of Agriculture should direct the chief information officer to develop and implement departmentwide procedures for encryption key establishment and management.
Agency Affected: Department of Agriculture
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the Department of Agriculture as it continues to deploy its departmentwide encryption solutions and to improve the life cycle management of encryption technologies, the Secretary of Agriculture should direct the chief information officer to develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used.
Agency Affected: Department of Agriculture
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to evaluate, select, and install federal information processing standards (FIPS) 140-compliant products for all encryption needs and document a plan for implementation that addresses protection of all sensitive information stored and transmitted by the agency.
Agency Affected: Department of Education
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to configure installed FIPS-compliant encryption technologies in accordance with FIPS-validated cryptographic modules security settings for the product.
Agency Affected: Department of Education
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.
Agency Affected: Department of Education
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to develop and implement departmentwide procedures for use of FIPS-compliant cryptography.
Agency Affected: Department of Education
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used.
Agency Affected: Department of Education
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the Department of Housing and Urban Development is adequately protecting its sensitive information and to improve the life cycle management of encryption technologies at the department, the Secretary of Housing and Urban Development should direct the chief information officer to evaluate, select, and install FIPS 140-compliant products for all encryption needs and document a plan for implementation that addresses protection of all sensitive information stored and transmitted by the agency.
Agency Affected: Department of Housing and Urban Development
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the Department of Housing and Urban Development is adequately protecting its sensitive information and to improve the life cycle management of encryption technologies at the department, the Secretary of Housing and Urban Development should direct the chief information officer to configure installed FIPS-compliant encryption technologies in accordance with FIPS-validated cryptographic modules security settings for the product.
Agency Affected: Department of Housing and Urban Development
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the Department of Housing and Urban Development is adequately protecting its sensitive information and to improve the life cycle management of encryption technologies at the department, the Secretary of Housing and Urban Development should direct the chief information officer to develop and implement departmentwide procedures for the use of FIPS-compliant cryptography and for encryption key establishment and management.
Agency Affected: Department of Housing and Urban Development
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the life cycle management of encryption technologies at the Department of State, the Secretary of State should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.
Agency Affected: Department of State
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the life cycle management of encryption technologies at the Department of State, the Secretary of State should direct the chief information officer to develop and implement departmentwide procedures for use of FIPS-compliant cryptography.
Agency Affected: Department of State
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the life cycle management of encryption technologies at the General Services Administration, the Administrator of the General Services Administration should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.
Agency Affected: General Services Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the life cycle management of encryption technologies at the General Services Administration, the Administrator of the General Services Administration should direct the chief information officer to develop and implement departmentwide procedures for use of FIPS-compliant cryptography.
Agency Affected: General Services Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: As the National Aeronautics and Space Administration continues to plan for a departmentwide encryption solution and to improve the life cycle management of encryption technologies, the Administrator of the National Aeronautics and Space Administration should direct the chief information officer to establish and implement a mechanism to monitor the successful installation and effective functioning of encryption products installed on devices.
Agency Affected: National Aeronautics and Space Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: As the National Aeronautics and Space Administration continues to plan for a departmentwide encryption solution and to improve the life cycle management of encryption technologies, the Administrator of the National Aeronautics and Space Administration should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.
Agency Affected: National Aeronautics and Space Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: As the National Aeronautics and Space Administration continues to plan for a departmentwide encryption solution and to improve the life cycle management of encryption technologies, the Administrator of the National Aeronautics and Space Administration should direct the chief information officer to develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used.
Agency Affected: National Aeronautics and Space Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
