Recent Leaks Changed How OMB, Agencies Do Business
Several recent high-profile corporate data breaches and the leaking of personal information by the Dept. of Veterans Affairs (WID May 23 p7) focused the govt.’s attention on information security, an OMB official said: Yet, too much planning, not enough action and lack of communication among various security and privacy personnel impede progress.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
After the VA incident in May, OMB began asking agencies for “expanded privacy reporting,” said Glenn Schlarman, chief of OMB’s Information Policy & Technology branch. In doing so, “we realized that privacy and security officers don’t know each other as well as they should. These aren’t 2 separate processes. Information privacy is one of the things you use security to protect,” he told the NIST’s Information Security & Privacy Advisory Board.
In July, OMB began requiring agencies to report data breaches -- and potential incidents -- to the U.S. Computer Emergency Readiness Team within an hour. Agencies must also include security costs into their IT budget requests, which most agencies had not thought of before, he said. “So there’s no excuse. No new money until legacy systems are secured. We're not going to fund systems that aren’t secure,” he said.
The govt. should work as one, with all employees in all agencies receiving the same training so “each agency can speak to one another at the same wavelength,” he said: “Security is a commodity or a service and if we have homegrown [versions] in each different agency it’s enormously expensive and enormously time-consuming.” -- Alexis Fabbri
Advisory Board Notebook…
Cyber threat sources are “very diverse,” but most aren’t of national concern, NIST said Thurs. Most threats are “not hugely funded,” and are mounted by individuals or small groups, Curt Barker, Computer Security Div. Chief told a meeting of the agency’s Information & Security Privacy Advisory Board. Federal agencies must adhere to NIST security standards but states and companies are adopting them, he said. Unfortunately piecemeal adoption leaves many state and company systems “half-dressed,” he said. NIST is pushing biometrics as a verification tool and trying to update “horribly dated” password guidelines, he said. While no specific evidence of attacks from abroad has emerged, NIST “assumes the worst” and is thinking in terms of cyber attacks originating in other countries, he said.