Information Security:

Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains

GAO-08-525: Published: Jun 27, 2008. Publicly Released: Jul 28, 2008.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Many federal operations are supported by automated systems that may contain sensitive information such as national security information that, if lost or stolen, could be disclosed for improper purposes. Compromises of sensitive information at numerous federal agencies have raised concerns about the extent to which such information is vulnerable. The use of technological controls such as encryption--the process of changing plaintext into ciphertext--can help guard against the unauthorized disclosure of sensitive information. GAO was asked to determine (1) how commercially available encryption technologies can help agencies protect sensitive information and reduce risks; (2) the federal laws, policies, and guidance for using encryption technologies; and (3) the extent to which agencies have implemented, or plan to implement, encryption technologies. To address these objectives, GAO identified and evaluated commercially available encryption technologies, reviewed relevant laws and guidance, and surveyed 24 major federal agencies.

Commercially available encryption technologies can help federal agencies protect sensitive information that is stored on mobile computers and devices (such as laptop computers, handheld devices such as personal digital assistants, and portable media such as flash drives and CD-ROMs) as well as information that is transmitted over wired or wireless networks by reducing the risks of its unauthorized disclosure and modification. For example, information stored in individual files, folders, or entire hard drives can be encrypted. Encryption technologies can also be used to establish secure communication paths for protecting data transmitted over networks. While many products to encrypt data exist, implementing them incorrectly------such as failing to properly configure the product, secure encryption keys, or train users------can result in a false sense of security and render data permanently inaccessible. Key laws frame practices for information protection, while federal policies and guidance address the use of encryption. The Federal Information Security Management Act of 2002 mandates that agencies implement information security programs to protect agency information and systems. In addition, other laws provide guidance and direction for protecting specific types of information, including agency-specific information. For example, the Privacy Act of 1974 requires that agencies adequately protect personal information, and the Health Insurance Portability and Accountability Act of 1996 requires additional protections for sensitive health care information. The Office of Management and Budget has issued policy requiring federal agencies to encrypt all data on mobile computers and devices that carry agency data and use products that have been approved by the National Institute for Standards and Technology (NIST) cryptographic validation program. Further, NIST guidance recommends that agencies adequately plan for the selection, installation, configuration, and management of encryption technologies. The extent to which 24 major federal agencies reported that they have implemented encryption and developed plans to implement encryption of sensitive information varied across agencies. From July through September 2007, the major agencies collectively reported that they had not yet installed encryption technology to protect sensitive information on about 70 percent of their laptop computers and handheld devices. Additionally, agencies reported uncertainty regarding the applicability of OMB's encryption requirements for mobile devices, specifically portable media. While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities such as installing and configuring appropriate technologies in accordance with federal guidelines, developing and documenting policies and procedures for managing encryption technologies, and training users. As a result federal information may remain at increased risk of unauthorized disclosure, loss, and modification.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that NASA, in response to our recommendation, had developed training materials and courses addressing encryption concepts, including proper operation of the encryption products used by the agency.

    Recommendation: As the National Aeronautics and Space Administration continues to plan for a departmentwide encryption solution and to improve the life cycle management of encryption technologies, the Administrator of the National Aeronautics and Space Administration should direct the chief information officer to develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used.

    Agency Affected: National Aeronautics and Space Administration

  2. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that Education, in response to our recommendation, had developed and implemented guidance for encryption key establishment and management.

    Recommendation: To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.

    Agency Affected: Department of Education

  3. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that Education configured its installed encryption product in accordance with FIPS-140-2.

    Recommendation: To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to configure installed FIPS-compliant encryption technologies in accordance with FIPS-validated cryptographic modules security settings for the product.

    Agency Affected: Department of Education

  4. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that Education has installed a FIPS-140-2 compliant encryption product.

    Recommendation: To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to evaluate, select, and install federal information processing standards (FIPS) 140-compliant products for all encryption needs and document a plan for implementation that addresses protection of all sensitive information stored and transmitted by the agency.

    Agency Affected: Department of Education

  5. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that USDA, in response to our recommendation, had developed a training program through its internal training system that includes courses that directly pertain to encryption software used agency-wide.

    Recommendation: To assist the Department of Agriculture as it continues to deploy its departmentwide encryption solutions and to improve the life cycle management of encryption technologies, the Secretary of Agriculture should direct the chief information officer to develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used.

    Agency Affected: Department of Agriculture

  6. Status: Closed - Not Implemented

    Comments: In fiscal year 2012, our review of evidence provided by the Department of Agriculture found that the department had not developed and implemented procedures for encryption key establishment and management.

    Recommendation: To assist the Department of Agriculture as it continues to deploy its departmentwide encryption solutions and to improve the life cycle management of encryption technologies, the Secretary of Agriculture should direct the chief information officer to develop and implement departmentwide procedures for encryption key establishment and management.

    Agency Affected: Department of Agriculture

  7. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that the Department of Agriculture had established and implemented a system that monitors the installation of encryption products installed on devices.

    Recommendation: To assist the Department of Agriculture as it continues to deploy its departmentwide encryption solutions and to improve the life cycle management of encryption technologies, the Secretary of Agriculture should direct the chief information officer to establish and implement a mechanism to monitor the successful installation and effective functioning of encryption products installed on devices.

    Agency Affected: Department of Agriculture

  8. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that OMB, through its annual reporting metrics, began monitoring agencies' encryption efforts.

    Recommendation: To assist agencies with effectively planning for and implementing encryption technologies to protect sensitive information, the Director of the Office of Management and Budget should monitor the effectiveness of the agencies' encryption implementation plans and efforts to inventory the sensitive information they hold.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  9. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that in its April 21, 2010 annual reporting instructions to federal agencies, OMB clarified governmentwide policy related to encryption.

    Recommendation: To assist agencies with effectively planning for and implementing encryption technologies to protect sensitive information, the Director of the Office of Management and Budget should clarify governmentwide policy requiring agencies to encrypt sensitive agency data through the promulgation of additional guidance and/or through educational activities.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  10. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that Education had developed and implemented departmentwide procedures that direct its use of FIPS-compliant cryptography.

    Recommendation: To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to develop and implement departmentwide procedures for use of FIPS-compliant cryptography.

    Agency Affected: Department of Education

  11. Status: Closed - Implemented

    Comments: In fiscal year 201 we verified that Education had developed training materials for the operation of specific encryption technologies by incorporating encryption concepts into a cybersecurity and privacy awareness course.

    Recommendation: To improve the life cycle management of encryption technologies, the Secretary of the Department of Education should direct the chief information officer to develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used.

    Agency Affected: Department of Education

  12. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that HUD selected, and installed FIPS 140-compliant products and documented a project plan for the implementation of FIPS 140- compliant products.

    Recommendation: To ensure that the Department of Housing and Urban Development is adequately protecting its sensitive information and to improve the life cycle management of encryption technologies at the department, the Secretary of Housing and Urban Development should direct the chief information officer to evaluate, select, and install FIPS 140-compliant products for all encryption needs and document a plan for implementation that addresses protection of all sensitive information stored and transmitted by the agency.

    Agency Affected: Department of Housing and Urban Development

  13. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that NASA, in response to our recommendation, developed and implemented department-wide policy and procedures for encryption key establishment and management.

    Recommendation: As the National Aeronautics and Space Administration continues to plan for a departmentwide encryption solution and to improve the life cycle management of encryption technologies, the Administrator of the National Aeronautics and Space Administration should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.

    Agency Affected: National Aeronautics and Space Administration

  14. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that NASA had implemented a mechanism to monitor the installation of its encryption products on agency devices and alerts the agency if the installation on any given device was not successful.

    Recommendation: As the National Aeronautics and Space Administration continues to plan for a departmentwide encryption solution and to improve the life cycle management of encryption technologies, the Administrator of the National Aeronautics and Space Administration should direct the chief information officer to establish and implement a mechanism to monitor the successful installation and effective functioning of encryption products installed on devices.

    Agency Affected: National Aeronautics and Space Administration

  15. Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that as of July 2009, GSA issued an updated departmentwide IT Security Policy, which required the implementation of FIPS cryptographic modules. We also verified that as of November 2008, GSA has issued procedural guidance for FIPS cryptographic key management and modules.

    Recommendation: To improve the life cycle management of encryption technologies at the General Services Administration, the Administrator of the General Services Administration should direct the chief information officer to develop and implement departmentwide procedures for use of FIPS-compliant cryptography.

    Agency Affected: General Services Administration

  16. Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that GSA, as of July 2009, issued an updated departmentwide IT Security Policy, which addressed GSA encryption policies for mobile devices, personally identifiable information and key management. We also verified that as of November 2008, GSA has issued procedural guidance for encryption key management.

    Recommendation: To improve the life cycle management of encryption technologies at the General Services Administration, the Administrator of the General Services Administration should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.

    Agency Affected: General Services Administration

  17. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that State, in response to our recommendation, had developed and implemented departmentwide procedures that direct its use of FIPS-compliant cryptography.

    Recommendation: To improve the life cycle management of encryption technologies at the Department of State, the Secretary of State should direct the chief information officer to develop and implement departmentwide procedures for use of FIPS-compliant cryptography.

    Agency Affected: Department of State

  18. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that State, in response to our recommendation, had developed and implemented policies and procedures for encryption key establishment and management.

    Recommendation: To improve the life cycle management of encryption technologies at the Department of State, the Secretary of State should direct the chief information officer to develop and implement departmentwide policy and procedures for encryption key establishment and management.

    Agency Affected: Department of State

  19. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that HUD implemented 2009 information technology security procedures that provide department-wide procedures for the use of FIPS-compliant compliant cryptography and for encryption key establishment and management.

    Recommendation: To ensure that the Department of Housing and Urban Development is adequately protecting its sensitive information and to improve the life cycle management of encryption technologies at the department, the Secretary of Housing and Urban Development should direct the chief information officer to develop and implement departmentwide procedures for the use of FIPS-compliant cryptography and for encryption key establishment and management.

    Agency Affected: Department of Housing and Urban Development

  20. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that HUD configured FIPS-compliant encryption technologies in accordance with FIPS-validated cryptographic modules security settings for the product.

    Recommendation: To ensure that the Department of Housing and Urban Development is adequately protecting its sensitive information and to improve the life cycle management of encryption technologies at the department, the Secretary of Housing and Urban Development should direct the chief information officer to configure installed FIPS-compliant encryption technologies in accordance with FIPS-validated cryptographic modules security settings for the product.

    Agency Affected: Department of Housing and Urban Development

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here