Recent leaks forces U.S. government to patch up the pipes

After story after story of government laptops being stolen and compromised, the U.S. government is making progress in encrypting all information stored on its data devices. On June 23, 2006, a memorandum (PDF) from the Executive Office of the President mandated that all government mobile computers and devices must fully encrypt all data. The document recommends the following actions for all departments and agencies:

  • Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing.
  • Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access.
  • Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity.
  • Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.

To fulfill the above requirements, the U.S. government began searching for the best full-disk encryption (FDE) solution in the form of an open contest.  All data stored on the device must be encrypted, including swap space and temporary files that may contain sensitive data -- the user should not have the capability to decide what gets encrypted and what does not.

Destroying cryptography keys are also a quick way to destroy the data on a FDE system.  To prevent this, the winner of the government search must also provide the capability of holding keys in escrow.

The original memo from the government intended that all safety measures were to be in place 45 days from the issue of the mandate, but according to this source, the U.S. government will conduct a 90-day evaluation of technologies to find the best solution. The product selected as the best will be implemented on all governmental agency computers, which potentially could result in the largest single implementation ever of FDE.

The information regarding the encryption solution selection process can be found in a U.S. Air Force section on the Federal Business Opportunities page, though the mandate from the President is believed to be government-wide. Found on the military’s Air Force site is a list of requirements and competing vendors (XLS) for the program.

The comparisons and competition will come to a close in 90 from the start.  All information regarding the competition is open to the publicSeagate and Hitachi are currently the only two major vendors with hardware full-disk encryption solutions.

"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs
Related Articles

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki