Skip to main content

Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains

GAO-08-525 Published: Jun 27, 2008. Publicly Released: Jul 28, 2008.
Jump To:
Skip to Highlights

Highlights

Many federal operations are supported by automated systems that may contain sensitive information such as national security information that, if lost or stolen, could be disclosed for improper purposes. Compromises of sensitive information at numerous federal agencies have raised concerns about the extent to which such information is vulnerable. The use of technological controls such as encryption--the process of changing plaintext into ciphertext--can help guard against the unauthorized disclosure of sensitive information. GAO was asked to determine (1) how commercially available encryption technologies can help agencies protect sensitive information and reduce risks; (2) the federal laws, policies, and guidance for using encryption technologies; and (3) the extent to which agencies have implemented, or plan to implement, encryption technologies. To address these objectives, GAO identified and evaluated commercially available encryption technologies, reviewed relevant laws and guidance, and surveyed 24 major federal agencies.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget To assist agencies with effectively planning for and implementing encryption technologies to protect sensitive information, the Director of the Office of Management and Budget should clarify governmentwide policy requiring agencies to encrypt sensitive agency data through the promulgation of additional guidance and/or through educational activities.
Closed – Implemented
In fiscal year 2012, we verified that in its April 21, 2010 annual reporting instructions to federal agencies, OMB clarified governmentwide policy related to encryption.
Office of Management and Budget To assist agencies with effectively planning for and implementing encryption technologies to protect sensitive information, the Director of the Office of Management and Budget should monitor the effectiveness of the agencies' encryption implementation plans and efforts to inventory the sensitive information they hold.
Closed – Implemented
In fiscal year 2012, we verified that OMB, through its annual reporting metrics, began monitoring agencies' encryption efforts.
Department of Agriculture To assist the Department of Agriculture as it continues to deploy its departmentwide encryption solutions and to improve the life cycle management of encryption technologies, the Secretary of Agriculture should direct the chief information officer to establish and implement a mechanism to monitor the successful installation and effective functioning of encryption products installed on devices.
Closed – Implemented
In fiscal year 2012, we verified that the Department of Agriculture had established and implemented a system that monitors the installation of encryption products installed on devices.
Department of Agriculture To assist the Department of Agriculture as it continues to deploy its departmentwide encryption solutions and to improve the life cycle management of encryption technologies, the Secretary of Agriculture should direct the chief information officer to develop and implement departmentwide procedures for encryption key establishment and management.
Closed – Not Implemented
In fiscal year 2012, our review of evidence provided by the Department of Agriculture found that the department had not developed and implemented procedures for encryption key establishment and management.
Department of Agriculture To assist the Department of Agriculture as it continues to deploy its departmentwide encryption solutions and to improve the life cycle management of encryption technologies, the Secretary of Agriculture should direct the chief information officer to develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used.
Closed – Implemented
In fiscal year 2012, we verified that USDA, in response to our recommendation, had developed a training program through its internal training system that includes courses that directly pertain to encryption software used agency-wide.
Department of Education To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to evaluate, select, and install federal information processing standards (FIPS) 140-compliant products for all encryption needs and document a plan for implementation that addresses protection of all sensitive information stored and transmitted by the agency.
Closed – Implemented
In fiscal year 2012 we verified that Education has installed a FIPS-140-2 compliant encryption product.
Department of Education To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to configure installed FIPS-compliant encryption technologies in accordance with FIPS-validated cryptographic modules security settings for the product.
Closed – Implemented
In fiscal year 2012 we verified that Education configured its installed encryption product in accordance with FIPS-140-2.
Department of Education To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.
Closed – Implemented
In fiscal year 2012, we verified that Education, in response to our recommendation, had developed and implemented guidance for encryption key establishment and management.
Department of Education To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to develop and implement departmentwide procedures for use of FIPS-compliant cryptography.
Closed – Implemented
In fiscal year 2012 we verified that Education had developed and implemented departmentwide procedures that direct its use of FIPS-compliant cryptography.
Department of Education To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used.
Closed – Implemented
In fiscal year 201 we verified that Education had developed training materials for the operation of specific encryption technologies by incorporating encryption concepts into a cybersecurity and privacy awareness course.
Department of Housing and Urban Development To ensure that the Department of Housing and Urban Development is adequately protecting its sensitive information and to improve the life cycle management of encryption technologies at the department, the Secretary of Housing and Urban Development should direct the chief information officer to evaluate, select, and install FIPS 140-compliant products for all encryption needs and document a plan for implementation that addresses protection of all sensitive information stored and transmitted by the agency.
Closed – Implemented
In fiscal year 2012, we verified that HUD selected, and installed FIPS 140-compliant products and documented a project plan for the implementation of FIPS 140- compliant products.
Department of Housing and Urban Development To ensure that the Department of Housing and Urban Development is adequately protecting its sensitive information and to improve the life cycle management of encryption technologies at the department, the Secretary of Housing and Urban Development should direct the chief information officer to configure installed FIPS-compliant encryption technologies in accordance with FIPS-validated cryptographic modules security settings for the product.
Closed – Implemented
In fiscal year 2012, we verified that HUD configured FIPS-compliant encryption technologies in accordance with FIPS-validated cryptographic modules security settings for the product.
Department of Housing and Urban Development To ensure that the Department of Housing and Urban Development is adequately protecting its sensitive information and to improve the life cycle management of encryption technologies at the department, the Secretary of Housing and Urban Development should direct the chief information officer to develop and implement departmentwide procedures for the use of FIPS-compliant cryptography and for encryption key establishment and management.
Closed – Implemented
In fiscal year 2012, we verified that HUD implemented 2009 information technology security procedures that provide department-wide procedures for the use of FIPS-compliant compliant cryptography and for encryption key establishment and management.
Department of State To improve the life cycle management of encryption technologies at the Department of State, the Secretary of State should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.
Closed – Implemented
In fiscal year 2012, we verified that State, in response to our recommendation, had developed and implemented policies and procedures for encryption key establishment and management.
Department of State To improve the life cycle management of encryption technologies at the Department of State, the Secretary of State should direct the chief information officer to develop and implement departmentwide procedures for use of FIPS-compliant cryptography.
Closed – Implemented
In fiscal year 2012, we verified that State, in response to our recommendation, had developed and implemented departmentwide procedures that direct its use of FIPS-compliant cryptography.
General Services Administration To improve the life cycle management of encryption technologies at the General Services Administration, the Administrator of the General Services Administration should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.
Closed – Implemented
In fiscal year 2009, we verified that GSA, as of July 2009, issued an updated departmentwide IT Security Policy, which addressed GSA encryption policies for mobile devices, personally identifiable information and key management. We also verified that as of November 2008, GSA has issued procedural guidance for encryption key management.
General Services Administration To improve the life cycle management of encryption technologies at the General Services Administration, the Administrator of the General Services Administration should direct the chief information officer to develop and implement departmentwide procedures for use of FIPS-compliant cryptography.
Closed – Implemented
In fiscal year 2009, we verified that as of July 2009, GSA issued an updated departmentwide IT Security Policy, which required the implementation of FIPS cryptographic modules. We also verified that as of November 2008, GSA has issued procedural guidance for FIPS cryptographic key management and modules.
National Aeronautics and Space Administration As the National Aeronautics and Space Administration continues to plan for a departmentwide encryption solution and to improve the life cycle management of encryption technologies, the Administrator of the National Aeronautics and Space Administration should direct the chief information officer to establish and implement a mechanism to monitor the successful installation and effective functioning of encryption products installed on devices.
Closed – Implemented
In fiscal year 2012 we verified that NASA had implemented a mechanism to monitor the installation of its encryption products on agency devices and alerts the agency if the installation on any given device was not successful.
National Aeronautics and Space Administration As the National Aeronautics and Space Administration continues to plan for a departmentwide encryption solution and to improve the life cycle management of encryption technologies, the Administrator of the National Aeronautics and Space Administration should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.
Closed – Implemented
In fiscal year 2012, we verified that NASA, in response to our recommendation, developed and implemented department-wide policy and procedures for encryption key establishment and management.
National Aeronautics and Space Administration As the National Aeronautics and Space Administration continues to plan for a departmentwide encryption solution and to improve the life cycle management of encryption technologies, the Administrator of the National Aeronautics and Space Administration should direct the chief information officer to develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used.
Closed – Implemented
In fiscal year 2012, we verified that NASA, in response to our recommendation, had developed training materials and courses addressing encryption concepts, including proper operation of the encryption products used by the agency.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Access controlAuthenticationClassified defense informationComputer networksComputer securityConfidential communicationsData encryptionData encryption standardData storageData transmissionElectronic data interchangeGovernment information disseminationInformation accessInformation disclosureInformation infrastructureInformation managementInformation securityInformation security managementInformation security regulationsInformation storage and retrievalInformation technologyInternal controlsLaptopsPolicy evaluationProprietary dataRegulatory agenciesReporting requirementsSecurity policiesSecurity regulationsSoftwareStandards evaluationWireless networksPolicies and procedures