Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains (27-JUN-08, GAO-08-525). Many federal operations are supported by automated systems that may contain sensitive information such as national security information that, if lost or stolen, could be disclosed for improper purposes. Compromises of sensitive information at numerous federal agencies have raised concerns about the extent to which such information is vulnerable. The use of technological controls such as encryption--the process of changing plaintext into ciphertext--can help guard against the unauthorized disclosure of sensitive information. GAO was asked to determine (1) how commercially available encryption technologies can help agencies protect sensitive information and reduce risks; (2) the federal laws, policies, and guidance for using encryption technologies; and (3) the extent to which agencies have implemented, or plan to implement, encryption technologies. To address these objectives, GAO identified and evaluated commercially available encryption technologies, reviewed relevant laws and guidance, and surveyed 24 major federal agencies. -------------------------Indexing Terms------------------------- REPORTNUM: GAO-08-525 ACCNO: A82599 TITLE: Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains DATE: 06/27/2008 SUBJECT: Access control Authentication Classified defense information Computer networks Computer security Confidential communication Data encryption Data encryption standard Data storage Data transmission Electronic data interchange Government information dissemination Information access Information disclosure Information infrastructure Information management Information security Information security management Information security regulations Information storage and retrieval Information technology Internal controls Laptops Policy evaluation Proprietary data Regulatory agencies Reporting requirements Security policies Security regulations Software Standards evaluation Wireless networks Policies and procedures ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO Product. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ****************************************************************** GAO-08-525 This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to [email protected]. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: June 2008: Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains: GAO-08-525: GAO Highlights: Highlights of GAO-08-525, a report to congressional requesters. Why GAO Did This Study: Many federal operations are supported by automated systems that may contain sensitive information such as national security information that, if lost or stolen, could be disclosed for improper purposes. Compromises of sensitive information at numerous federal agencies have raised concerns about the extent to which such information is vulnerable. The use of technological controls such as encryption�the process of changing plaintext into ciphertext�can help guard against the unauthorized disclosure of sensitive information. GAO was asked to determine (1) how commercially available encryption technologies can help agencies protect sensitive information and reduce risks; (2) the federal laws, policies, and guidance for using encryption technologies; and (3) the extent to which agencies have implemented, or plan to implement, encryption technologies. To address these objectives, GAO identified and evaluated commercially available encryption technologies, reviewed relevant laws and guidance, and surveyed 24 major federal agencies. What GAO Found: Commercially available encryption technologies can help federal agencies protect sensitive information that is stored on mobile computers and devices (such as laptop computers, handheld devices such as personal digital assistants, and portable media such as flash drives and CD-ROMs) as well as information that is transmitted over wired or wireless networks by reducing the risks of its unauthorized disclosure and modification. For example, information stored in individual files, folders, or entire hard drives can be encrypted. Encryption technologies can also be used to establish secure communication paths for protecting data transmitted over networks. While many products to encrypt data exist, implementing them incorrectly------such as failing to properly configure the product, secure encryption keys, or train users------can result in a false sense of security and render data permanently inaccessible. Key laws frame practices for information protection, while federal policies and guidance address the use of encryption. The Federal Information Security Management Act of 2002 mandates that agencies implement information security programs to protect agency information and systems. In addition, other laws provide guidance and direction for protecting specific types of information, including agency-specific information. For example, the Privacy Act of 1974 requires that agencies adequately protect personal information, and the Health Insurance Portability and Accountability Act of 1996 requires additional protections for sensitive health care information. The Office of Management and Budget has issued policy requiring federal agencies to encrypt all data on mobile computers and devices that carry agency data and use products that have been approved by the National Institute for Standards and Technology (NIST) cryptographic validation program. Further, NIST guidance recommends that agencies adequately plan for the selection, installation, configuration, and management of encryption technologies. The extent to which 24 major federal agencies reported that they have implemented encryption and developed plans to implement encryption of sensitive information varied across agencies. From July through September 2007, the major agencies collectively reported that they had not yet installed encryption technology to protect sensitive information on about 70 percent of their laptop computers and handheld devices. Additionally, agencies reported uncertainty regarding the applicability of OMB�s encryption requirements for mobile devices, specifically portable media. While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities such as installing and configuring appropriate technologies in accordance with federal guidelines, developing and documenting policies and procedures for managing encryption technologies, and training users. As a result federal information may remain at increased risk of unauthorized disclosure, loss, and modification. What GAO Recommends: GAO is making recommendations to (1) the Director of the Office of Management and Budget (OMB) to clarify guidance and (2) selected agencies to strengthen practices for planning and implementing the use of encryption. In comments on a draft of this report, OMB and the agencies generally agreed with the recommendations. To view the full product, including the scope and methodology, click on GAO-08-525. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or [email protected]. [End of section] Contents: Letter: Results in Brief: Background: Commercially Available Encryption Technologies Can Help Agencies Reduce Risks: Key Laws Frame Practices for Information Protection, while Federal Policies and Guidance Address Use of Encryption: Efforts to Encrypt Sensitive Information Varied among Agencies: Conclusions: Recommendations for Executive Action: Agency Comments: Appendix I: Objectives, Scope, and Methodology: Appendix II: Important Considerations for Implementing Encryption to Effectively Reduce Agency Risks: Appendix III: Hindrances Faced by Agencies when Implementing Encryption: Appendix IV: GSA SmartBUY Program for Data-at-Rest Encryption Products: Appendix V: Comments from the Office of Management and Budget: Appendix VI: Comments from the Department of Education: Appendix VII: Comments from the Department of Housing and Urban Development: Appendix VIII: Comments from the Department of State: Appendix IX: Comments from the General Services Administration: Appendix X: Comments from the National Aeronautics and Space Administration: Appendix XI: GAO Contact and Staff Acknowledgments: Glossary: Tables: Table 1: Commercially Available Encryption Technologies: Table 2: Key Laws That Provide a Framework for Agencies to Use in Protecting Sensitive Information: Table 3: Major OMB Memorandums Related to the Use of Encryption: Table 4: Key NIST Publications for Implementing Encryption Technology: Table 5: Agency Policies and Procedures That Address NIST Encryption Controls: Table 6: Hindrances to Implementing Encryption at Federal Agencies: Table 7: Examples of Volume Discount Pricing Available through SmartBUY: Figures: Figure 1: Incidents Reported to US-CERT in Fiscal Years 2005 through 2007: Figure 2 : Encryption and Decryption: Figure 3: Percentage of Encrypted Laptop Computers and Handheld Computing Devices at 24 Major Federal Agencies: Figure 4: Agency Status of Encrypting Sensitive Information Transmitted Over Wired and Wireless Networks: Abbreviations: CD-ROM: compact disc read only memory: DVD: digital versatile disc: FIPS: federal information processing standards: FISMA: Federal Information Security Management Act of 2002: GSA: General Services Administration: HUD: Department of Housing and Urban Development: IT: information technology: NASA: National Aeronautics and Space Administration: NIST: National Institute of Standards and Technology: OMB: Office of Management and Budget: PKI: public key infrastructures: SmartBUY: Software Managed and Acquired on the Right Terms: USB: universal serial bus: US-CERT: U.S. Computer Emergency Readiness Team: USDA: U.S. Department of Agriculture: United States Government Accountability Office: Washington, DC 20548: June 27, 2008: The Honorable Bennie G. Thompson: Chairman: Committee on Homeland Security: House of Representatives: The Honorable Jane Harman: Chairwoman: Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment: Committee on Homeland Security: House of Representatives: The Honorable Zoe Lofgren: House of Representatives: In 2006, the Department of Veterans Affairs reported that a laptop computer and external hard drive--that had not been encrypted or password protected and that contained the personal information of approximately 26.5 million veterans and United States military personnel--had been stolen from an employee's home. This incident and the increasing number of data breaches reported by other government agencies--such as the Departments of Defense and Health and Human Services and the Transportation Security Administration--have raised concerns about the extent to which sensitive information maintained by the federal government is vulnerable and what current laws, policies, and practices are in place to protect that information.[Footnote 1] In June 2006, GAO testified that federal agencies should consider the use of encryption technologies to improve their ability to protect information from improper disclosure,[Footnote 2] particularly when data must be stored on mobile computers and devices such as laptop computers, handheld personal digital assistants, and portable media such as flash drives and CD-ROMs. Encryption protects data through a process of transforming ordinary data (commonly referred to as plaintext) into code form (ciphertext) using a special value known as a key and a mathematical process called an algorithm.[Footnote 3] Encryption technologies include commercially available products (such as hardware or software) that create the capability to encrypt data. In response to your request, our objectives were to determine (1) how commercially available encryption technologies could help federal agencies protect sensitive information and reduce risks; (2) the federal laws, policies, and guidance for using encryption technologies to protect sensitive information; and (3) the extent to which agencies have implemented, or planned to implement, encryption technologies to protect sensitive information. To address these objectives, we identified commercially available encryption technologies by reviewing prior GAO reports on technology, researching products approved by the National Institute of Standards and Technology (NIST), and interviewing NIST encryption experts. We also reviewed relevant laws, policies, and guidance to identify the mandatory and optional practices for protecting sensitive information (including personally identifiable information[Footnote 4]) that federal agencies collect and handle. In addition, we surveyed 24 major federal agencies and examined supporting documentation regarding agency efforts to implement encryption.[Footnote 5] We also examined encryption practices at six of these agencies to determine whether these practices met federal requirements for installation and configuration of Federal Information Processing Standards (FIPS)- validated cryptographic modules, encryption products, and associated management controls. We conducted this performance audit from February 2007 through June 2008 in accordance with generally accepted government auditing standards. These standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Appendix I contains additional details on the objectives, scope, and methodology of our review. Results in Brief: Many types of commercially available encryption technologies can help federal agencies protect sensitive information and reduce the risks to the sensitive data stored on agency equipment or transmitted across a network. Data stored in individual files, folders, or entire drives can be encrypted when not in use. Types of technologies to protect stored data include full disk encryption, hardware-based encryption, and file, folder, or virtual disk encryption. In addition, encryption technologies can be used to establish secure communication paths for protecting data transmitted over networks through the use of virtual private networks and digital certificates. While many technologies to encrypt data exist, implementing them incorrectly--such as failing to properly configure the product, secure encryption keys, or train users- -can create a false sense of security and even render data permanently inaccessible. Although key federal laws do not specifically address the use of encryption, they provide a framework of information protection activities and direct the Office of Management and Budget (OMB) and NIST to develop policies, standards, and guidance for federal agencies to use in implementing technologies, such as encryption, to protect sensitive information. Among these laws is the Federal Information Security Management Act of 2002 (FISMA), which mandates that agencies implement information security programs to protect agency information and systems. In addition, the Privacy Act of 1974 requires that agencies adequately protect personal information maintained in federal systems of records,[Footnote 6] and the Health Insurance Portability and Accountability Act of 1996 addresses the protection of personal medical information. To specifically direct agencies' use of encryption, OMB issued a policy in 2006 recommending, and in 2007 requiring, that all agencies encrypt all data on mobile computers and devices that carry sensitive agency data and also reinforced the long- standing requirement that agencies use products that have been approved by NIST's cryptographic module validation program. Further, NIST has published guidelines for federal agencies to use in planning and implementing encryption technologies; these guidelines address the documentation of comprehensive implementation plans; the installation and configuration of selected encryption technologies, policies and procedures for managing encryption; and user training. The extent to which 24 major federal agencies reported that they have implemented encryption and to which they have developed plans to implement encryption varied across the agencies. While all agencies had initiated efforts to encrypt sensitive agency information, the encryption of information stored on mobile devices lagged behind efforts to encrypt information transmitted over networks. For example, overall, agencies reported in July through September 2007 that they had not yet installed encryption software on about 70 percent of their laptop computers and handheld mobile computing devices combined. Although progress was under way at agencies governmentwide, agencies reported uncertainty regarding the applicability of OMB's encryption requirements. In addition, none of the agencies had documented comprehensive plans to guide encryption implementation activities, such as inventorying information to determine encryption needs; documenting how the agency plans to select, install, configure, and monitor encryption technologies; developing and documenting encryption policies and procedures; and training personnel in the use of installed encryption. Further, our tests at 6 selected agencies revealed weaknesses in the encryption implementation practices involving the installation and configuration of FIPS-validated cryptographic modules, encryption products, monitoring the effectiveness of installed encryption technologies, the development and documentation of policies and procedures for managing these technologies, and training of personnel in the proper use of installed encryption products. As a result of these weaknesses, federal information may remain at increased risk of unauthorized disclosure, loss, and modification. We are recommending that OMB clarify governmentwide encryption policy to address agency efforts to plan for and implement encryption technologies. We are also making recommendations to selected agencies to properly install and configure FIPS-compliant encryption technologies, to develop policies and procedures to manage encryption, and to provide encryption training to personnel. We obtained written comments on a draft of this report from OMB, the Departments of Education, Housing and Urban Development, and State, as well as the General Services Administration and the National Aeronautics and Space Administration; these comments are reproduced in appendixes V to X, respectively. We also obtained comments from the Department of Agriculture via e-mail. OMB generally agreed with the report's contents and stated that it would carefully consider our recommendations. The other six agencies also agreed with the report's findings and recommendations. In addition, NIST and the Social Security Administration provided technical comments, which we have incorporated as appropriate. Background: Virtually all federal operations are supported by automated systems, mobile devices, and electronic media that may contain sensitive information such as Social Security numbers, medical records, law enforcement data, national or homeland security information, and proprietary information that could be inappropriately disclosed, browsed, or copied for improper or criminal purposes. In our survey of 24 major federal agencies, 10 agencies reported having systems that contain sensitive medical information, 16 reported having systems that contain sensitive regulatory information, 19 reported having systems that contain sensitive personal information, and 20 reported having systems that contain sensitive program-specific information. It is important for agencies to safeguard sensitive information because, if left unprotected, the information could be compromised--leading to loss or theft of resources (such as federal payments and collections), modification or destruction of data, or unauthorized use of computer resources, including launching attacks on other computer systems. Factors Placing Sensitive Information at Risk: Many factors can threaten the confidentiality, integrity, and availability of sensitive information. Cyber threats to federal systems and critical infrastructures containing sensitive information can be intentional or unintentional, targeted or nontargeted, and can come from a variety of sources.[Footnote 7] Intentional threats include both targeted and nontargeted attacks. A targeted attack occurs when a group or individual specifically attacks an information system. A nontargeted attack occurs when the intended target of the attack is uncertain, such as when a virus, worm, or malware is released on the Internet with no specific target. Unintentional threats can be caused by software upgrades or maintenance procedures that inadvertently disrupt systems. The Federal Bureau of Investigation has identified multiple sources of threats to our nation's critical information systems, including those from foreign nation states engaged in information warfare, domestic criminals, hackers, virus writers, and disgruntled current and former employees working within an organization. There is increasing concern among both government officials and industry experts regarding the potential for a cyber attack. According to the Director of National Intelligence, ''our information infrastructure--including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries--increasingly is being targeted for exploitation and potentially for disruption or destruction by a growing array of state and non-state adversaries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious. The intelligence community expects these trends to continue in the coming year."[Footnote 8] Threats to mobile devices are posed by people with malicious intentions, including causing mischief and disruption as well as committing identity theft and other forms of fraud. For example, malware threats can infect data stored on devices, and data in transit can be intercepted through many means, including from e-mail, Web sites, file downloads, file sharing, peer-to-peer software, and instant messaging. Another threat to mobile devices is the loss or theft of the device. Someone who has physical access to an electronic device can attempt to view the information stored on it. Incidents at Federal Agencies Demonstrate That Sensitive Information Is at Risk: Examples of Data Breaches at Federal Agencies: Defense: February 2008: A laptop computer containing personally identifiable information for as many as 4,000 participants in the Marine Corps community services' New Parent Support Program was stolen. Energy: December 2007: A hacker gained access to an Energy computer by embedding a program, in an e-mail sent to staff, that allowed the hacker to copy and retrieve information. Transportation Security Administration: May 2007: An external hard drive, discovered missing from a controlled area at agency headquarters human capital office, contained personal data for 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005. Source: GAO based on agency-reported incidents. [End of figure] The need for effective information security policies and practices is further illustrated by the increasing number of security incidents reported by federal agencies that put sensitive information at risk. Personally identifiable information about millions of Americans has been lost, stolen, or improperly disclosed, thereby potentially exposing those individuals to loss of privacy, identity theft, and financial crimes. Reported attacks and unintentional incidents involving critical infrastructure systems demonstrate that a serious attack could be devastating. Agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches, underscoring the need for improved security practices. When incidents occur, agencies are to notify the federal information security incident center--the U.S. Computer Emergency Readiness Team (US-CERT). As shown in figure 1, the number of incidents reported by federal agencies to US-CERT has increased dramatically over the past 3 years, increasing from 3,634 incidents reported in fiscal year 2005 to 13,029 incidents in fiscal year 2007 (about a 259 percent increase). Figure 1: Incidents Reported to US-CERT in Fiscal Years 2005 through 2007: This figure is a vertical bar graph is showing incidents reported to US- CERT in fiscal years 2005 through 2007. The X axis represents the fiscal year, and the Y axis represents the number of incidents reported. Year: FY05; Number of incidents: 3,634. Year: FY06; Number of incidents: 5,503. Year: FY07; Number of incidents: 13,029. [See PDF for image] Source: GAO analysis of US-CERT data. [End of figure] Data breaches present federal agencies with potentially serious and expensive consequences; for example, a security breach might require an agency to fund the burdensome costs of notifying affected individuals and associated credit monitoring services or it could jeopardize the agency's mission. Implementation of a risk-based framework of management, operational, and technical controls that includes controls such as encryption technology can help guard against the inadvertent compromise of sensitive information. While encrypting data might add to operational burdens by requiring individuals to enter pass codes or use other means to encrypt and decrypt data, it can also help to mitigate the risk associated with the theft or loss of computer equipment that contains sensitive data. Workforce Mobility Introduces Additional Risks to Sensitive Information: Protecting information has become more challenging in today's IT environment of highly mobile workers and decreasing device size. Using small, easily pilferable devices such as laptop computers, handheld personal digital assistants, thumb-sized Universal Serial Bus (USB) flash drives, and portable electronic media such as CD-ROMs and DVDs, employees can access their agency's systems and information from anywhere. When computers were larger and stationary, sensitive information that was stored on mainframe computers was accessible by only a limited number of authorized personnel via terminals that were secured within the physical boundaries of the agency's facility. Now, mobile workers can process, transport, and transmit sensitive information anywhere they work. This transition from a stationary environment to a mobile one has changed the type of controls needed to protect the information.[Footnote 9] Encryption technologies, among other controls, provide agencies with an alternate method of protecting sensitive information that compensates for the protections offered by the physical security controls of an agency facility when the information is removed from, or accessed from, outside of the agency location. Encryption Can Help Protect Sensitive Information: Data breaches can be reduced through the use of encryption, which is the process of transforming plaintext into ciphertext using a special value known as a key and a mathematical process called an algorithm (see fig. 2). Figure 2: Encryption and Decryption: This figure is a visual diagram of encryption and decryption. Plaintext; Key Encryption; Ciphertext; Key Decryption; Original plaintext. [See PDF for image] Source: GAO analysis. [End of figure] Cryptographic algorithms are designed to produce ciphertext that is unintelligible to unauthorized users. Decryption of ciphertext-- returning the encoded data to plaintext--is possible by using the proper key. Encryption can protect sensitive information in storage and during transmission. Encryption of data in transit hides information as it moves, for example, between a database and a computing device over the Internet, local networks, or via fax or wireless networks. Stored data include data stored in files or databases, for example, on a personal digital assistant, a laptop computer, a file server, a DVD, or a network storage appliance. Encryption may also be used in system interconnection devices such as routers, switches, firewalls, servers, and computer workstations to apply the appropriate level of encryption required for data that pass through the interconnection.[Footnote 10] Commercially Available Encryption Technologies Can Help Agencies Reduce Risks: Commercially available encryption technologies can help federal agencies protect sensitive information and reduce the risks of its unauthorized disclosure and modification. These technologies have been designed to protect information stored on computing devices or other media and transmitted over wired or wireless networks. Because the capability of each type of encryption technology to protect information is limited by the boundaries of the file, folder, drive, or network covered by that type of technology, a combination of several technologies may be required to ensure that sensitive information is continuously protected as it flows from one point, such as a remote mobile device, to another point, such as a network or portable electronic media. For example, one product that encrypts a laptop's hard drive may not provide any protection for files copied to portable media, attached to an e-mail, or transmitted over a network. Encryption Technologies to Protect Stored Information Are Available: Agencies have several options available when selecting an encryption technology for protecting stored data. According to NIST guidance on encrypting stored information,[Footnote 11] these include full disk, hardware-based, file, folder, or virtual disk encryption. Through the use of these technologies, encryption can be applied granularly, to an individual file that contains sensitive information, or broadly, by encrypting an entire hard drive. The appropriate encryption technology for a particular situation depends primarily on the type of storage, the amount of information that needs to be protected, and the threats that need to be mitigated. Storage encryption technologies require users to authenticate successfully before accessing the information that has been encrypted. The combination of encryption and authentication controls access to the stored information. Full Disk Encryption: Full disk encryption software encrypts all data on the hard drive used to boot a computer, including the computer's operating system, and permits access to the data only after successful authentication to the full disk encryption software. The majority of current full disk encryption products are implemented entirely within a software application. The software encrypts all information stored on the hard drive and installs a special environment to authenticate the user and begin decrypting the drive. Users enter their user identification and password before decrypting and starting the operating system. Once a user authenticates to the operating system by logging in, the user can access the encrypted files without further authentication, so the security of the solution is heavily dependent on the strength of the operating system authenticator. When a computer is turned off, all the information encrypted by full disk encryption is protected, assuming that pre-boot authentication is required. After the computer is booted, full disk encryption provides no protection and the operating system becomes fully responsible for protecting the unencrypted information. Hardware-Based Encryption: Full disk encryption can also be built into a hard drive. Hardware and software-based full disk encryption offer similar capabilities through different mechanisms. When a user tries to boot a device protected with hardware-based full disk encryption, the hard drive prompts the user to authenticate before it allows an operating system to load. The full disk encryption capability is built into the hardware in such a way that it cannot be disabled or removed from the drive. The encryption code and authenticators, such as passwords and cryptographic keys,[Footnote 12] are stored securely on the hard drive. Because the encryption and decryption are performed by the hard drive itself, without any operating system participation, typically there is very little performance impact. A major difference between software-and hardware-based full disk encryption is that software-based full disk encryption can be centrally managed, but hardware-based full disk encryption can usually be managed only locally. This makes key management and recovery actions considerably more resource-intensive and cumbersome for hardware-based full disk encryption than for software-based. Another major difference is that because hardware-based full disk encryption performs all cryptographic processing within the hard drive's hardware, it does not need to place its cryptographic keys in the computer's memory, potentially exposing the keys to malware and other threats. A third significant difference is that hardware-based full disk encryption does not cause conflicts with software that modifies the master boot record, for example, software that allows the use of more than one operating system on a hard drive. File, Folder, and Virtual Disk Encryption: File, folder, and virtual disk encryption are all used to encrypt specified areas of data on a storage medium such as a laptop hard drive. File encryption encrypts files, a collection of information logically grouped into a single entity and referenced by a unique name, such as a file name. Folder encryption encrypts folders, a type of organizational structure used to group files. Virtual disk encryption encrypts a special type of file--called a container--that is used to encompass and protect other files. File encryption is the process of encrypting individual files on a storage medium and permitting access to the encrypted data only after proper authentication is provided. Folder encryption is very similar to file encryption, except that it addresses individual folders instead of files. Some operating systems offer built-in file and/or folder encryption capabilities, and many third-party programs are also commercially available. File/folder encryption does not provide any protection for data outside the protected files or folders such as unencrypted temporary files that may contain the contents of any unencrypted files being held in computer memory. Virtual disk encryption is the process of encrypting a container. The container appears as a single file but can hold many files and folders that are not seen until the container is decrypted. Access to the data within the container is permitted only after proper authentication is provided, at which point the container appears as a logical disk drive that may contain many files and folders. Virtual disk encryption does not provide any protection for data created outside the protected container, such as unencrypted temporary files, that could contain the contents of any unencrypted files being held in computer memory. Agency Information Can Be Encrypted while in Transit over a Network: Sensitive data are also at risk during transmission across unsecured-- untrusted--networks such as the Internet. For example, as reported by NIST,[Footnote 13] transmission of e-mail containing sensitive information or direct connections for the purpose of processing information between a mobile device and an internal trusted system can expose sensitive agency data to monitoring or interception. According to both NIST[Footnote 14] and an industry source,[Footnote 15] agencies can use commercially available encryption technologies such as virtual private networks and digital signatures to encrypt sensitive data while they are in transit over a wired or wireless network. Virtual Private Networks: According to NIST,[Footnote 16] a virtual private network is a data network that enables two or more parties to communicate securely across a public network by creating a private connection, or "tunnel," between them. Because a virtual private network can be used over existing networks such as the Internet, it can facilitate the secure transfer of sensitive data across public networks. Virtual private networks can also be used to provide a secure communication mechanism for sensitive data such as Web-based electronic transactions and to provide secure remote access to an organization's resources. Digital Signatures and Digital Certificates: Properly implemented digital signature technology uses public key cryptography to provide authentication, data integrity, and nonrepudiation for a message or transaction. As NIST states,[Footnote 17] public key infrastructures[Footnote 18] (PKI) can be used not only to encrypt data but also to authenticate the identity of specific users. Just as a physical signature provides assurance that a letter has been written by a specific person, a digital signature is an electronic credential created using a party's private key with an encryption algorithm.[Footnote 19] When it is added to a document, it can be used to confirm the identity of a document's sender since it also contains the user's public key and name of the encryption algorithm. Validating the digital signature not only confirms who signed it, but also ensures that there have been no alterations to the document since it was signed. Digital signatures may also be employed in authentication protocols to confirm the identity of the user before establishing a session. Specifically, digital signatures can be used to provide higher assurance authentication (in comparison with passwords) when establishing virtual private networks. Digital signatures are often used in conjunction with digital certificates. A digital certificate is an electronic credential that guarantees the association between a public key and a specific entity, such as a person or organization. As specified by NIST, the signature on the document can be validated by using the public key from the digital certificate issued to the signer. Validating the digital certificate, the system can confirm that the user's relationship to the organization is still valid. The most common use of digital certificates is to verify that a user sending a message is who he or she claims to be and to provide the receiver with a means to encode a reply. For example, an agency virtual private network could use these certificates to authenticate the identity of the user, verify that the key is still good, and that he or she is still employed by the agency. Encryption Technologies Available for Handheld Mobile Computing Devices: NIST guidance further states that encryption software can be used to protect the confidentiality of sensitive information stored on handheld mobile computing devices and mirrored on the desktop computer.[Footnote 20] The information on the handheld's add-on backup storage modules can also be encrypted when not in use. This additional level of security can be added to provide an extra layer of defense, further protecting sensitive information stored on handheld devices. In addition, encryption technologies can protect data on handheld devices while the data are in transit. Users often subscribe to third- party wireless Internet service providers, which use untrusted networks; therefore, the handheld device would require virtual private network software and a supporting corporate system to create a secure communications tunnel to the agency. Table 1 describes the types of commercial encryption technologies available to agencies. Table 1: Commercially Available Encryption Technologies: Technology: Full disk encryption (software); Use: Stored data; Description: Full disk encryption software encrypts all data on the hard drive that is used first when a computer is turned on, including the computer's operating system, and permits access to the data only after successful authentication to the full disk encryption software. Technology: Hardware-based encryption; Use: Stored data; Description: Full disk encryption can also be built into a hard drive. Technology: File encryption; Use: Stored data; Description: File encryption is the process of encrypting individual files on a storage medium and permitting access to the encrypted data only after proper authentication is provided. Technology: Folder encryption; Use: Stored data; Description: Folder encryption is very similar to file encryption, only it addresses individual folders instead of files. Technology: Virtual disk encryption; Use: Stored data; Description: Virtual disk encryption is the process of encrypting a file called a container, which can hold many files and folders. Access to the data within the container is permitted only after proper authentication is provided. Technology: Virtual private networks; Use: Data in transit; Description: A virtual private network serves as an encrypted tunnel to provide a secure communications mechanism for data in transit between networks. Technology: Digital signatures and digital certificates; Use: Stored data and data in transit; Description: A digital signature is an electronic credential created using a party's private key with an encryption algorithm. A digital certificate is an electronic credential that guarantees the association between a public key and a specific entity. Technology: Handheld mobile computing devices; Use: Stored data and data in transit; Description: Commercial encryption technologies allow users to send and receive encrypted e-mail and access data wirelessly using secure NIST- approved algorithms. Data stored on the handheld mobile computing devices (for example, e-mail messages, contacts, and appointments) can also be encrypted. Source: GAO analysis, Defense Information Systems Agency, Vendor Technical Overview, and NIST special publications. [End of table] While many technologies exist to protect data, implementing them incorrectly--such as failing to properly configure the product, secure encryption keys, or train users--can result in a false sense of security or even render data permanently inaccessible. See appendix II for a discussion of decisions agencies face and important considerations for effectively implementing encryption to reduce agency risks. Key Laws Frame Practices for Information Protection, while Federal Policies and Guidance Address Use of Encryption: Although federal laws do not specifically require agencies to encrypt sensitive information, they give federal agencies responsibilities for protecting it. Specifically, FISMA, included within the E-Government Act of 2002,[Footnote 21] provides a comprehensive framework for ensuring the effectiveness of information security controls over federal agency information and information systems. In addition, other laws frame practices for protecting specific types of sensitive information. OMB is responsible for establishing governmentwide policies and for providing guidance to agencies on how to implement the provisions of FISMA, the Privacy Act, and other federal information security and privacy laws. In the wake of recent security breaches involving personal data, OMB issued guidance in 2006 and 2007 reiterating the requirements of these laws and guidance. In this guidance, OMB directed, among other things, that agencies encrypt data on mobile computers or devices and follow NIST security guidelines. In support of federal laws and policies, NIST provides federal agencies with planning and implementation guidance and mandatory standards for identifying and categorizing information types, and for selecting adequate controls based on risk, such as encryption, to protect sensitive information. Key Laws Provide Framework for Protecting Sensitive Information: Although federal laws do not specifically address the use of encryption, they provide a framework for agencies to use to protect their sensitive information. FISMA, which is Title III of the E- Government Act of 2002, emphasizes the need for federal agencies to develop, document, and implement programs using a risk-based approach to provide information security for the information and information systems that support their operations and assets. Its purposes include the following: * providing a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets; * recognizing the highly networked nature of the current federal computing environment and providing effective governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities; * providing for development and maintenance of minimum controls required to protect federal information and information systems; * acknowledging that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the nation that are designed, built, and operated by the private sector; and: * recognizing that the selection of specific technical hardware and software information security solutions should be left to individual agencies choosing from among commercially developed products. This act requires agencies to provide cost-effective controls to protect federal information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction, and it directs OMB and NIST to establish policies and standards to guide agency implementation of these controls, which may include the use of encryption. The E-Government Act of 2002 also strives to enhance protection for personal information in government information systems by requiring that agencies conduct privacy impact assessments. A privacy impact assessment is an analysis of how personal information is collected, stored, shared, and managed in a federal system. Additionally, the Privacy Act of 1974 regulates agencies' collection, use, and dissemination of personal information maintained in systems of records. In this regard, the Privacy Act requires agencies to establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any threats or hazards to their security or integrity that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. Congress has also passed laws requiring protection of sensitive information that are agency-specific or that target a specific type of information. These laws include the Health Insurance Portability and Accountability Act of 1996,[Footnote 22] which requires additional protections to sensitive health care information and the Veterans Benefits, Health Care, and Information Technology Act,[Footnote 23] enacted in December 2006, which establishes information technology security requirements for personally identifiable information that apply specifically to the Department of Veterans Affairs. Table 2 summarizes the laws that provide a framework for agencies to use in protecting sensitive information. Table 2: Key Laws That Provide a Framework for Agencies to Use in Protecting Sensitive Information: Law: Federal Information Security Management Act of 2002; Security elements: Governs information security in the federal government. Defines roles and responsibilities for OMB and NIST in developing federal policies and guidance. Also addresses the protection of sensitive information in the context of securing federal agency information and information systems. Law: E-Government Act of 2002; Security elements: Enhances protection of personal information in government information systems by requiring that agencies conduct privacy impact assessments. Law: The Privacy Act of 1974; Security elements: Places privacy restrictions on data collected by government agencies maintained in systems of records. Also requires agencies to secure and protect information using adequate technical and physical safeguards. Law: Health Insurance Portability and Accountability Act of 1996; Security elements: Requires privacy regulations that establish standards for protecting medical records and other personal health information of individuals. Resulting regulations include encryption as an addressable (not required) implementation specification. Law: Veterans Benefits, Health Care, and Information Technology Act of 2006; Security elements: Authorizes information technology security requirements for personally identifiable information at the Department of Veterans Affairs, including the requirement to develop procedures for detecting, reporting, and responding to security incidents. Source: GAO analysis of key laws that frame protection of sensitive information. [End of table] OMB Policy Requires Encryption of Sensitive Government Information on Mobile Devices: OMB is responsible for establishing governmentwide policies and for providing guidance to agencies on how to implement the provisions of FISMA, the Privacy Act, and other federal information security and privacy laws. OMB policy expands on the risk-based information security program requirements of FISMA in its 2002 and 2004 guidance[Footnote 24] and in the wake of recent security breaches involving personal data, outlines minimum practices for implementation of encryption required by federal agencies in guidance issued in 2006 and 2007. Specifically: * OMB memorandum M-04-04, E-Authentication Guidance for Federal Agencies, requires that agencies implement specific security controls recommended by NIST,[Footnote 25] including the use of approved cryptographic techniques for certain types of electronic transactions that require a specified level of protection. * OMB memorandum M-06-16, Protection of Sensitive Agency Information, recommends, among other things, that agencies encrypt all agency data on mobile computers and devices or obtain a waiver from the Deputy Secretary of the agency that the device does not contain sensitive information. The memorandum also recommends that agencies use a NIST checklist[Footnote 26] provided in the memorandum that states agencies should verify that information requiring protection is appropriately categorized and assigned an appropriate risk impact category. * OMB memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, restated the M-06-16 recommendations as requirements, and also required the use of NIST- certified cryptographic modules. These OMB memorandums significant to the use of encryption are briefly described in table 3. Table 3: Major OMB Memorandums Related to the Use of Encryption: OMB memorandum: Reporting Instructions for the Government Information Security Reform Act and Updated Guidance on Security Plans of Action and Milestones, (M-02-09), July 2, 2002; Description: Requires that agencies document and track plans of actions and milestones necessary to implement security controls including the use of encryption if required. OMB memorandum: E-Authentication Guidance for Federal Agencies, (M-04- 04), Dec. 16, 2003; Description: Requires agencies with systems using remote authentication to conduct electronic authentication risk assessments and select proper controls, including the use of cryptographic components, as recommended by NIST, to protect sensitive information on those systems. OMB memorandum: Protection of Sensitive Agency Information, (M-06-16), June 23, 2006; Description: Recommends that agencies encrypt all data on mobile computers/devices. OMB memorandum: Safeguarding Against and Responding to the Breach of Personally Identifiable Information, (M-07-16), May 22, 2007; Description: Restates the recommendations of OMB M-06-16 as requirements and requires that agencies use NIST-certified cryptographic modules in encryption efforts. Source: GAO analysis of OMB memorandums on encryption. [End of table] NIST Provides Guidance and Standards for Encryption Use: In support of federal laws and policies, NIST provides federal agencies with implementation guidance and mandatory standards for identifying and categorizing information types and for selecting adequate controls based on risk, such as encryption, to protect sensitive information. Specifically, NIST Special Publication 800-53 instructs agencies to follow the implementation guidance detailed in supplemental NIST publications, including the following:[Footnote 27] * NIST Special Publication 800-21, Guideline for Implementing Cryptography in the Federal Government, guides the implementation of encryption by agencies. It recommends that prior to selecting a cryptographic method, or combination of methods, agencies address several implementation considerations when formulating an approach and developing requirements for integrating cryptographic methods into new or existing systems, including installing and configuring appropriate cryptographic components associated with selected encryption technologies; monitoring the continued effectiveness and functioning of encryption technologies; developing policies and procedures for life cycle management of cryptographic components (such as procedures for management of encryption keys, backup and restoration of services, and authentication techniques); and training users, operators, and system engineers. * Special Publication 800-57, Recommendation for Key Management, provides guidance to federal agencies on how to select and implement cryptographic controls for protecting sensitive information by describing cryptographic algorithms, classifying different types of keys used in encryption, and providing information on key management. * Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, provides implementation guidance on the assignment of security categories to information and information systems using FIPS 199.[Footnote 28] * Special Publication 800-63, Electronic Authentication Guideline, addresses criteria for implementing controls that correspond to the assurance levels of OMB memorandum M-04-04 such that, if agencies assign a level 2, 3, or 4 to an electronic transaction, they are required to implement specific security controls, including the use of approved cryptographic techniques. * Special Publication 800-77, Guide to IPsec VPNs, provides technical guidance to agencies in the implementation of virtual private networks, such as identifying needs and designing, deploying, and managing the appropriate solution, including the use of Federal Information Processing Standards (FIPS)-compliant encryption algorithms. NIST also issues FIPS, which frame the critical elements agencies are required to follow to protect sensitive information and information systems. Specifically: * FIPS 140-2, Security Requirements for Cryptographic Modules.[Footnote 29] Agencies are required to encrypt agency data, where appropriate, using NIST-certified cryptographic modules.[Footnote 30] This standard specifies the security requirements for a cryptographic module used within a security system protecting sensitive information in computer and telecommunication systems (including voice systems) and provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. * Several standards describe the technical specifications for cryptographic algorithms, including those required when using digital signatures.[Footnote 31] * FIPS 199 provides agencies with criteria to identify and categorize all of their information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels.[Footnote 32] * FIPS 200 requires a baseline of minimum information security controls for protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems.[Footnote 33] FIPS 200 directs agencies to implement the baseline control recommendations of NIST Special Publication 800-53. The following security-related areas in FIPS 200 whose controls are further detailed in Special Publication 800-53 pertain to the use of encryption: - Access control--describes controls for developing and enforcing policies and procedures for access control including remote access, wireless access, and for portable and mobile devices using mechanisms such as authentication and encryption. - Contingency planning--includes controls to ensure that the organization protects system backup information from unauthorized modification by employing appropriate mechanisms such as digital signatures. - Identification and authentication--describes controls for developing and documenting identification and authentication policies and procedures. * Maintenance--includes remote maintenance control that addresses how an organization approves, controls, and monitors remotely executed maintenance and diagnostic activities including using encryption and decryption of diagnostic communications. * Media protection--describes developing policies and procedures for media protection including media storage (which may include encrypting stored data) and transport. * System and communications protection--includes controls to ensure the integrity and confidentiality of information in transit by employing cryptographic mechanisms if required, including establishing and managing cryptographic keys. NIST publications pertaining to the use of encryption in federal agencies are briefly described in table 4. Table 4: Key NIST Publications for Implementing Encryption Technology: NIST publication: Guideline for Implementing Cryptography In the Federal Government (Special Publication 800-21); Description: Directs agencies on how to select and implement cryptographic controls for protecting sensitive information. NIST publication: Recommended Security Controls for Federal Information Systems (Special Publication 800-53, Revision 2); Description: Recommends that agencies select and specify security controls for information systems, including controls for implementing cryptographic components. NIST publication: Recommendation for Key Management (Special Publication 800-57); Description: Recommends technical guidance to agencies in the proper management and protection of cryptographic keys and the information associated with the keys. NIST publication: Guide for Mapping Types of Information and Information Systems to Security Categories (Special Publication 800-60, Revision 1); Description: Directs agencies to categorize information and information systems, helping agencies determine their needs for encryption. NIST publication: Electronic Authentication Guideline (Special Publication 800-63); Description: Directs agencies to properly implement electronic authentication,[A] including use of cryptographic components where required by the level of electronic authentication assurance. NIST publication: Guide to IPsec VPNs (Special Publication 800-77); Description: Directs agencies to properly implement virtual private networks, such as with the use of FIPS-compliant encryption algorithms. NIST publication: Security Requirements for Cryptographic Modules (FIPS 140-2); Description: Requires agencies to employ this standard when designing and implementing cryptographic modules that federal agencies operate or are operated for them under contract. NIST publication: Secure Hash Standard (FIPS 180-2); Description: Mandates that agencies implement this standard whenever a secure hash algorithm is required for federal applications, including use by other cryptographic algorithms and protocols. NIST publication: Digital Signature Standard (FIPS 186-3); Description: Requires agencies to use this standard when designing and implementing public key-based signatures systems. NIST publication: Advanced Encryption Standard (FIPS 197); Description: Requires use of this or other FIPS-compliant cryptographic algorithms when an agency determines that sensitive (unclassified) information requires cryptographic protection. NIST publication: Standards for Security Categorization of Federal Information and Information Systems (FIPS 199); Description: Requires agencies to use risk-based criteria for the security categorization of information and information systems, helping agencies determine their needs for encryption. NIST publication: Minimum Security Requirements for Federal Information and Information Systems (FIPS 200); Description: Requires agencies to select and implement minimum information security controls based on risk. Source: GAO analysis of NIST publications. [A] The process of electronically establishing confidence in a user's identity. [End of table] Efforts to Encrypt Sensitive Information Varied among Agencies: The extent to which 24 major federal agencies reported that they had implemented encryption and developed plans to implement encryption varied across agencies. Although all agencies had initiated efforts to encrypt stored and transmitted sensitive agency information, none had completed these efforts or developed and documented comprehensive plans to guide their implementation of encryption technologies. Our tests at 6 selected agencies revealed weaknesses in the encryption implementation practices involving the installation and configuration of FIPS-validated cryptographic modules encryption products, monitoring the effectiveness of installed encryption technologies, the development and documentation of policies and procedures for managing these technologies, and the training of personnel in the proper use of installed encryption products. As a result of these weaknesses, federal information may remain at increased risk of unauthorized disclosure, loss, and modification. Reported Efforts to Encrypt Stored Information Lagged behind Efforts to Encrypt Transmitted Information: All 24 major federal agencies reported varying degrees of progress in their efforts to encrypt stored and transmitted sensitive agency information. While most of the agencies reported that they had not completed efforts to encrypt stored sensitive information, they reported being further along with efforts to encrypt transmitted sensitive information. Preparing for the implementation of encryption technologies involves numerous considerations. In response to our survey, agencies reported that they had encountered challenges that hinder the implementation of encryption. See appendix III for a discussion of the hindrances identified by agencies. Few Agencies Have Encrypted All Sensitive Information Stored on Mobile Devices: OMB requires agencies to encrypt all agency data on mobile computers and devices or obtain a waiver from the Deputy Secretary of the agency stating that the device does not contain sensitive information. Of 24 agencies that reported from July through September 2007 on the status of their efforts to encrypt sensitive information stored on their laptops and handheld mobile devices, 8 agencies reported having encrypted information on less than 20 percent of these devices and 5 agencies reported having encrypted information on between 20 and 39 percent of these devices (see fig. 3). Overall, the 24 agencies reported that about 70 percent of laptop computers and handheld devices had not been encrypted. Figure 3: Percentage of Encrypted Laptop Computers and Handheld Computing Devices at 24 Major Federal Agencies: This figure is a bar graph showing the percentage of encrypted laptop computers and handheld computing devices at 24 major federal agencies. The X axis is the percentage encrypted. Number of agencies: 0-19; Percentage encrypted: 8. Number of agencies: 20-39; Percentage encrypted: 5. Number of agencies: 40-59; Percentage encrypted: 2. Number of agencies: 60-79; Percentage encrypted: 3. Number of agencies: 80-100; Percentage encrypted: 6. [See PDF for image] Source: GAO analysis of agency-supplied data. [End of figure] In addition, 10 of 22 agencies reported having encrypted information on less than 20 percent of portable storage media taken offsite, and 3 of 22 reported having encrypted between 20 and 39 percent. Further, 9 of 17 agencies reported encrypting sensitive information on less than 20 percent of offsite backup storage media. However, while agencies were encrypting sensitive data on mobile computers and devices such as laptop computers and handheld devices (e.g. personal digital assistants), 6 agencies reported having other storage devices, such as portable storage media, that could contain sensitive data. Of the 6 agencies, 4 had not encrypted these additional devices. Further, officials at 1 agency had no plans to encrypt sensitive data contained on their portable media. In response to our query in April 2008, OMB officials stated that the term "mobile computers and devices" was intended to include all agency laptops, handheld devices, and portable storage devices such as portable drives and CD-ROMs that contain agency data. Nevertheless, this description is not clear in any of its memorandums. Until OMB clarifies the applicability of the encryption requirement so that agencies can complete encrypting sensitive agency information stored on applicable devices, the information will remain at risk of unauthorized disclosure. Most Agencies Are Encrypting Sensitive Transmitted Information: Most agencies reported that they had encrypted sensitive information transmitted over wired and wireless networks. Of 23 agencies reporting on their efforts to encrypt wired Internet transmissions of sensitive information, 18 agencies reported encrypting nearly all or all (80 percent to 100 percent), of their transmissions over wired Internet networks. In addition, of 21 agencies reporting on their efforts to encrypt wireless transmissions of sensitive information, 12 reported having encrypted all or nearly all such transmissions (see fig. 4). Figure 4: Agency Status of Encrypting Sensitive Information Transmitted Over Wired and Wireless Networks: This figure is a combination bar graph showing agency status of encrypting sensitive information transmitted over wired and wireless networks. Number of agencies: 0-19; Wired Internet transmissions: 1; Wireless network transmissions: 2. Number of agencies: 20-39; Wired Internet transmissions: 1; Wireless network transmissions: 2. Number of agencies: 40-59; Wired Internet transmissions: 0; Wireless network transmissions: 0. Number of agencies: 60-79; Wired Internet transmissions: 3; Wireless network transmissions: 5. Number of agencies: 80-100; Wired Internet transmissions: 18; Wireless network transmissions: 12. [See PDF for image] Source: GAO analysis of survey data reported July through September 2007 by 21 agencies regarding encryption of sensitive information transmitted by wireless networks, and by 23 agencies regarding encrypting such information transmitted by the Internet. [End of figure] Encryption Efforts Had Not Been Adequately Planned at Most Agencies: Although 24 major federal agencies reported having encryption efforts under way, none of the agencies had documented a comprehensive plan that considered the security control implementation elements recommended by NIST. According to NIST, cryptography is best designed as an integrated part of a comprehensive information security program rather than as an add-on feature and it suggests that implementing technical approaches without a plan to guide the process is the least effective approach to making use of cryptography. Specifically, as part of an effective information security program, NIST Special Publication 800-53 requires agencies to inventory and categorize information and systems according to risk as well as to document the baseline security controls--such as encryption--selected to adequately mitigate risks to information. However, of the 24 agencies we surveyed, 18 reported that they had not completed efforts to inventory sensitive information that they hold. Further, NIST recommends that agencies follow NIST Special Publication 800-21 guidance when formulating their approach for integrating cryptographic methods into new or existing systems and documenting plans for implementing encryption, such plans consist of the following minimum elements: * installing and properly configuring FIPS-validated cryptographic modules associated with selected encryption technologies; * monitoring the continued effectiveness of installed cryptographic controls, including the proper functioning of encryption technologies; * documenting and implementing policies and procedures for management of cryptographic components, such as the effective implementation and use of FIPS-compliant encryption technologies and the establishment and management of encryption keys; and: * providing training to users, operators, and system engineers. Although several agencies had developed ad hoc encryption technology acquisition or deployment plans, none of the agencies had documented comprehensive plans that addressed the elements recommended by NIST. In response to our query, OMB officials stated that they monitor agencies' progress toward implementing encryption through quarterly data submitted by the agencies as part of the President's Management Agenda scorecard. However, OMB did not provide us with evidence to demonstrate monitoring of the agencies' efforts to inventory the sensitive information they hold or to develop implementation plans. As previously noted, agencies did not have such plans and often did not have inventories. Until agencies develop and document comprehensive plans to guide their approach for implementing encryption, including completing an inventory of the sensitive information they hold, agencies will have limited assurance that they will be able to effectively complete implementation and manage life cycle maintenance of encryption technologies, as we observed at selected agencies and discuss later in this report. Weaknesses in Encryption Implementation Practices Exist at Selected Agencies: Practices for implementing encryption displayed weaknesses at the 6 federal agencies we reviewed for testing.[Footnote 34] Specifically, 2 of the 6 agencies had not installed FIPS-validated cryptographic modules encryption technologies and 4 had not configured installed encryption technologies in accordance with FIPS 140-2 specifications. In addition, all of the 6 agencies had not either developed or documented policies and procedures for managing encryption implementation, and 3 of these agencies had not adequately trained personnel in the effective use of installed encryption technologies. Protection of information and information systems relies not only on the technology in place but on establishing a foundation for effective implementation, life cycle management, and proper use of the technologies. Until agencies resolve these weaknesses, their data may not be fully protected. FIPS-Compliant Encryption Products Had Not Been Installed on All Agency Devices: OMB requires agencies to protect sensitive agency data stored on mobile devices by installing a FIPS-validated cryptographic modules product, and NIST Special Publication 800-53 recommends that agencies install FIPS-compliant products when the agency requires encryption of stored or transmitted sensitive information. Agencies can now acquire FIPS- validated cryptographic module products for encrypting stored information through the General Services Administration's (GSA) SmartBUY program (see app. IV for a description of this program). Use of encryption technologies approved by NIST as compliant with FIPS 140- 2 provides additional assurance that the product implemented--if configured correctly--will help protect sensitive information from unauthorized disclosure. Laptop computers. The Department of Housing and Urban Development (HUD) had not installed encryption products on any of its laptop computers despite an agency official's assertions to the contrary. HUD officials explained that they had planned to implement FIPS-compliant encryption in fiscal year 2008 but that implementation was delayed until late in fiscal year 2008 due to lack of funding and it is now part of their fiscal year 2009 budget request. In addition, the Department of Education had not installed a FIPS-validated cryptographic modules product to encrypt sensitive information on any of the 15 laptop computers that we tested at one of its components. Of the 4 remaining agencies, 3--the Department of Agriculture (USDA), the State Department,[Footnote 35] and GSA--had installed FIPS-compliant technologies on all 58 of the laptop computers that we tested at specific locations within each agency. At the National Aeronautics and Space Administration (NASA) location we tested, we confirmed that the agency's selected FIPS-compliant encryption software had been installed on 27 of 29 laptop computers. Although the agency asserted that it had installed it on all 29 laptops, officials explained that they did not have a mechanism to detect whether the encryption product was successfully installed and functioning. Handheld devices. All 6 of the agencies had deployed FIPS-compliant handheld mobile devices (specifically, BlackBerry� devices) for use by personnel. BlackBerry software and the BlackBerry enterprise server software enable users to store, send, and receive encrypted e-mail and access data wirelessly using FIPS-validated cryptographic modules encryption algorithms. Virtual private networks. One of three virtual private networks installed by the Department of Education was not a FIPS-compliant product. The remaining 5 agencies had installed FIPS-validated cryptographic modules products to protect transmissions of sensitive information. Certain Agencies Did Not Consistently Configure or Install Encryption Technologies in Accordance with NIST Requirements: Although most agencies had installed FIPS-compliant products to encrypt information stored on devices and transmitted across networks, some did not monitor whether the product was functioning or configure the product to operate only in a FIPS-validated cryptographic modules secure mode. Until agencies configure FIPS-compliant products in a secure mode as directed by NIST--for example, by enabling only FIPS- validated cryptographic module encryption algorithms--protection against unauthorized decryption and disclosure of sensitive information will be diminished. Laptop computers. Of the 4 agencies with FIPS-compliant products installed on laptop computers, 3 had configured the product to operate in a secure mode as approved by NIST on all devices that we examined. However, a component of the Department of Agriculture had not effectively monitored the effectiveness and continued functioning of encryption products on 5 of the 52 laptop computers that we examined. Agency officials were unaware that the drives of these devices had not been correctly encrypted. The drives, while having the encryption software installed, did not encrypt the data on the drive. This agency's system administrator attributed the noncompliance to the failure of a step in the installation process; specifically, the laptop had not been connected to the agency's network for a sufficient period of time to complete activation of the user's encryption key by the central server, and the agency had no mechanism in place to monitor whether the installed product was functioning properly. Handheld devices. Three of the 6 agencies--the Department of Education, HUD, and NASA--had not configured their handheld BlackBerry devices to encrypt the data contained on the devices. All six of the agencies encrypted data in transit because FIPS-validated cryptographic modules encryption was built into the BlackBerry device software. However, agencies must enable the encryption to protect information stored on the device itself by making a selection to do so and requiring the user to input a password. Officials at these 3 agencies stated that they had not enabled this protective feature on all their BlackBerry devices due to operational issues with enabling content protection and that they are awaiting a solution from the vendor. Virtual private networks. Two of the 6 agencies--the Department of Education and HUD--had not configured their virtual private networking technologies to use only strong, FIPS-validated cryptographic modules encryption algorithms for encrypting data and to ensure message integrity. The use of weak encryption algorithms--ones that have not been approved by NIST or that have explicitly been disapproved by NIST- -provides limited assurance that information is adequately protected from unauthorized disclosure or modification. Agencies Had Not Developed or Documented Encryption Policies and Procedures: The weaknesses in encryption practices identified at the 6 selected agencies existed in part because agencywide policies and procedures did not address federal guidelines related to implementing and using encryption. NIST Special Publication 800-53 recommends that agencies develop a formal, documented policy that addresses the system and communications controls as well as a formal, documented procedure to facilitate implementation of these controls. While policies should address the agency's position regarding use of encryption and management of encryption keys, the implementation procedures should describe the steps for performance of specific activities such as user registration, system initialization, encryption key generation, key recovery, and key destruction. However, 4 of the 6 agencies did not have a policy that addressed the establishment and management of cryptographic keys as directed by NIST, and none of the 6 agencies had detailed procedures for implementing this control. Furthermore, according to NIST guidance, agency policies and procedures are to address how agencies will install and configure FIPS-compliant encryption products. All agencies' policies addressed how the agency planned to comply with these requirements. However, 4 agencies did not have detailed procedures requiring installation and configuration of FIPS-compliant cryptography (see table 5). Table 5: Agency Policies and Procedures That Address NIST Encryption Controls: Agency: USDA; Encryption key establishment and management control: Policy: Yes; Encryption key establishment and management control: Procedures: No; Installation and configuration of FIPS-compliant encryption products: Policy: Yes; Installation and configuration of FIPS-compliant encryption products: Procedure: Yes. Agency: Education; Encryption key establishment and management control: Policy: No; Encryption key establishment and management control: Procedures: No; Installation and configuration of FIPS-compliant encryption products: Policy: Yes; Installation and configuration of FIPS-compliant encryption products: Procedure: No. Agency: HUD; Encryption key establishment and management control: Policy: Yes; Encryption key establishment and management control: Procedures: No; Installation and configuration of FIPS-compliant encryption products: Policy: Yes; Installation and configuration of FIPS-compliant encryption products: Procedure: No. Agency: State; Encryption key establishment and management control: Policy: No; Encryption key establishment and management control: Procedures: No; Installation and configuration of FIPS-compliant encryption products: Policy: Yes; Installation and configuration of FIPS-compliant encryption products: Procedure: No. Agency: GSA; Encryption key establishment and management control: Policy: No; Encryption key establishment and management control: Procedures: No; Installation and configuration of FIPS-compliant encryption products: Policy: Yes; Installation and configuration of FIPS-compliant encryption products: Procedure: No. Agency: NASA; Encryption key establishment and management control: Policy: No; Encryption key establishment and management control: Procedures: No; Installation and configuration of FIPS-compliant encryption products: Policy: Yes; Installation and configuration of FIPS-compliant encryption products: Procedure: Yes. Source: GAO analysis of agency policies and procedures for NIST encryption controls. [End of table] Policies and procedures for installing and configuring encryption technologies and for managing encryption keys provide the foundation for the effective implementation and use of encryption technologies and are a necessary element of agency implementation plans. Until these agencies develop, document, and implement these policies and procedures, the agencies' implementation of encryption may be ineffective in protecting the confidentiality, integrity, and availability of sensitive information. Three Agencies Had Not Adequately Trained Personnel to Use Installed Encryption Products: Also contributing to the weaknesses at 3 of 6 agencies was the failure to adequately train personnel in the proper use of installed encryption technology. Specifically: * USDA officials stated that users had not been trained to check for continued functioning of the software after installation but that they were in the process of including encryption concepts in its annual security awareness training required for all computer users. At the conclusion of our review, USDA had not yet completed this effort. * At the component of the Department of Education where testing was conducted, some users were unaware that the agency had installed encryption software on their laptop computers. These users, therefore, had never used the software to encrypt sensitive files or folders. Further, while an agency official asserted that encryption training was provided, the training documents provided pertained only to the protection of personally identifiable information and did not provide specifics on how to use the available encryption products. Users we spoke with were unaware of any available training. * At NASA, several users stated that they had refused to allow the encryption software to be installed on their devices, while other users said they were unfamiliar with the product. Although NASA requires users to receive training when encryption is installed and has developed a training guide, there was no mechanism in place to track whether users complete the necessary training. Until these agencies provide effective training to their personnel in the proper management and use of installed encryption technologies, they will have limited confidence in the ability of the installed encryption technologies to function as intended. Conclusions: Despite the availability of numerous types of commercial encryption technologies and federal policies requiring encryption, most federal agencies had just begun to encrypt sensitive information on mobile computers and devices. In addition, agencies had not documented comprehensive plans to guide activities for effectively implementing encryption. Although governmentwide efforts were under way, agency uncertainty with OMB requirements hampered progress. In addition, weaknesses in encryption practices at six selected federal agencies-- including practices for installing and configuring FIPS-validated cryptographic modules products, monitoring the effectiveness of these technologies, developing encryption policies and procedures, and training personnel--increased the likelihood that the encryption technologies used by the agencies will not function as intended. Until agencies address these weaknesses, sensitive federal information will remain at increased risk of unauthorized disclosure, modification, or loss. Recommendations for Executive Action: We are making 20 recommendations to the Director of the Office of Management and Budget and six federal departments and agencies to strengthen encryption of federal systems. To assist agencies with effectively planning for and implementing encryption technologies to protect sensitive information, we recommend that the Director of the Office of Management and Budget take the following two actions: * clarify governmentwide policy requiring agencies to encrypt sensitive agency data through the promulgation of additional guidance and/or through educational activities and: * monitor the effectiveness of the agencies' encryption implementation plans and efforts to inventory the sensitive information they hold. To assist the Department of Agriculture as it continues to deploy its departmentwide encryption solutions and to improve the life cycle management of encryption technologies, we recommend that the Secretary of Agriculture direct the chief information officer to take the following three actions: * establish and implement a mechanism to monitor the successful installation and effective functioning of encryption products installed on devices, * develop and implement departmentwide procedures for encryption key establishment and management, and: * develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used. We also recommend that the Secretary of the Department of Education direct the chief information officer to take the following five actions to improve the life cycle management of encryption technologies: * evaluate, select, and install FIPS 140-compliant products for all encryption needs and document a plan for implementation that addresses protection of all sensitive information stored and transmitted by the agency; * configure installed FIPS-compliant encryption technologies in accordance with FIPS-validated cryptographic modules security settings for the product; * develop and implement departmentwide policy and procedures for encryption key establishment and management; * develop and implement departmentwide procedures for use of FIPS- compliant cryptography; and: * develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used. To ensure that the Department of Housing and Urban Development is adequately protecting its sensitive information and to improve the life cycle management of encryption technologies at the department, we recommend that the Secretary of Housing and Urban Development direct the chief information officer to take the following three actions: * evaluate, select, and install FIPS 140-compliant products for all encryption needs and document a plan for implementation that addresses protection of all sensitive information stored and transmitted by the agency; * configure installed FIPS-compliant encryption technologies in accordance with FIPS-validated cryptographic modules security settings for the product; and: * develop and implement departmentwide procedures for the use of FIPS- compliant cryptography and for encryption key establishment and management. To improve the life cycle management of encryption technologies at the Department of State, we recommend that the Secretary of State direct the chief information officer to take the following two actions: * develop and implement departmentwide policy and procedures for encryption key establishment and management and: * develop and implement departmentwide procedures for use of FIPS- compliant cryptography. To improve the life cycle management of encryption technologies at the General Services Administration, we recommend that the Administrator of the General Services Administration direct the chief information officer to take the following two actions: * develop and implement departmentwide policy and procedures for encryption key establishment and management and: * develop and implement departmentwide procedures for use of FIPS- compliant cryptography. As the National Aeronautics and Space Administration continues to plan for a departmentwide encryption solution and to improve the life cycle management of encryption technologies, we recommend that the Administrator of the National Aeronautics and Space Administration direct the chief information officer to take the following three actions: * establish and implement a mechanism to monitor the successful installation and effective functioning of encryption products installed on devices, * develop and implement departmentwide policy and procedures for encryption key establishment and management, and: * develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used. Agency Comments: We received written comments on a draft of this report from the Administrator, Office of E-Government and Information Technology at OMB (reproduced in app. V). OMB generally agreed with the report's contents and stated that it would carefully consider our recommendations. We also received written comments from Education's Chief Information Officer (reproduced in app. VI), from HUD's Acting Chief Information Officer (reproduced in app. VII), from the Department of State (reproduced in app. VIII), from the Acting Administrator of the GSA (reproduced in app. IX), and from the Deputy Administrator of NASA (reproduced in app. X). We received comments via email from the Department of Agriculture. In these comments, the Departments of Agriculture, Education, HUD, and State; the GSA; and NASA agreed with our recommendations to their respective departments. Agencies also stated that they had implemented or were in the process of implementing our recommendations. In addition, NIST and the Social Security Administration provided technical comments, which we have incorporated as appropriate. As we agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution of it until 30 days from the date of this letter. At that time, we will send copies of this report to interested congressional committees and the agency heads and inspectors general of the 24 major federal agencies. We will also make copies available to others on request. In addition, this report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you have any questions or wish to discuss this report, please contact me at (202) 512-6244 or [email protected]. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix XI. Signed by: Gregory C. Wilshusen: Director, Information Security Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: The objectives of our review were to determine (1) how commercially available encryption technologies could help federal agencies protect sensitive information and reduce risks; (2) the federal laws, policies, and guidance for using encryption technologies to protect sensitive information; and (3) the extent to which agencies have implemented, or planned to implement, encryption technologies to protect sensitive information. To address the first objective, we reviewed prior GAO reports and reviewed documentation regarding products validated by the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program to identify commercially available encryption technologies. Additionally, we met with a vendor of an encryption product and interviewed NIST encryption experts regarding the characteristics of products that can reduce risks to agencies. To address the second objective, we reviewed prior GAO and agency inspector general reports to identify relevant laws and guidance such as the Federal Information Security Management Act of 2002 (FISMA) and the Privacy Act of 1974 to identify mandatory and optional practices for protecting sensitive information (including personally identifiable information but excluding classified national security information) that federal agencies collect, process, store, and transmit. We examined the laws to identify federal agencies responsible for promulgating federal policies and standards on the use of encryption. Additionally, we researched official publications issued by the Office of Management and Budget and NIST and interviewed officials from these agencies to identify the policies, standards, and guidance on encryption that have been issued. To address the third objective, we collected and analyzed agency- specific policies, plans, and practices through a data request and also conducted a survey of the 24 major federal agencies. A survey specialist designed the survey instrument in collaboration with subject matter experts. Then, the survey was pretested at 4 of these agencies to ensure that the questions were relevant and easy to comprehend. For each agency surveyed, we identified the appropriate point of contact, notified each one of our work, and distributed the survey along with a data request to each via e-mail in June 2007. In addition, we discussed the purpose and content of the survey and data request with agency officials when requested. All 24 agencies responded to our survey and data request from June to September 2007; results are reported as of this date. We contacted agency officials when necessary for additional information or clarification of agencies' status of encryption implementation. We did not verify the accuracy of the agencies' responses; however, we reviewed supporting documentation that agencies provided to corroborate information provided in their responses. We then analyzed the results from the survey and data request to identify: * the types of information encrypted in data when stored and in transit; * technologies used by the agency to encrypt information; * whether the technologies implemented by the agency met federal guidelines; * the extent to which the agency has implemented, or plans to implement, encryption; and: * any challenges faced and lessons learned by agencies in their efforts to encrypt sensitive but unclassified information. Conducting any survey may introduce errors. For example, differences in how a particular question is interpreted, the sources of information that are available to respondents, or how the data are entered or were analyzed can introduce variability into the survey results. We took steps in the development of the survey instrument, the data collection, and the data analysis to minimize errors. In addition, we tested the implementation of encryption technologies at 6 agencies to determine whether each agency was complying with federal guidance that required agencies to use NIST-validated encryption technology. Out of 24 major federal agencies, we selected 6 that met one or more of the following conditions: they (1) had not been tested under a recent GAO engagement, (2) had reported having initiated efforts to install FIPS-validated cryptographic modules encryption technologies, (3) had experienced publicized incidents of data compromise, or (4) were reasonably expected to collect, store, and transmit a wide range of sensitive information. Specifically, we tested the implementation of encryption for BlackBerry servers, virtual private networks, or a random selection of laptop computers at specific locations at the following 6 agencies within the Washington, D.C. area:[Footnote 36] * U.S. Department of Agriculture, * Department of Education, * Department of Housing and Urban Development, * Department of State,[Footnote 37] * General Services Administration, and: * National Aeronautics and Space Administration: At each of these agencies, we requested an inventory of laptop computers that were located at agency facilities in the Washington, D.C., metro area and that were encrypted. For each agency, we nonstatistically selected one location at which to perform testing, and thus the encryption test results for each agency cannot be projected to the entire agency. We performed the testing between September and December 2007. At each location where laptop computers were tested, there were a small number of laptop computers that were requested as part of our sample but which were not made available to us for testing. Department officials cited several reasons for this, including that the user of the device could not bring it to the location in time for our testing. In testing the laptop computers, we determined whether encryption software had been installed on the device and whether the software had been configured properly to adhere to federally required standards. Although we identified unencrypted laptop computers at each agency, we were not able to make statistical estimates of the percentage of unencrypted devices at each location. The small number of devices in each sample not made available to us for our testing compromised the randomness of each sample. Additionally, for each of the selected locations among the 6 agencies, we requested information on their BlackBerry servers, chose the server with the greatest number of users for testing, and reviewed through observation the specific security configuration settings. We also requested and examined agency-provided information for their virtual private networks to determine if encrypted networks were using products validated by NIST. Finally, we interviewed agency officials regarding their practices for encrypting stored data as well as data in transit, and for encryption key establishment and management. Furthermore, we reviewed and analyzed data on the General Services Administration's SmartBUY program to determine the extent of savings the program provides to federal agencies and how certain agencies have already benefited from the program. We conducted this performance audit from February 2007 through June 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Important Considerations for Implementing Encryption to Effectively Reduce Agency Risks: Encryption technology may help protect sensitive information from compromise; however, there are several important implementation and management considerations when selecting and implementing this technology. Encryption can be a powerful tool, but implementing it incorrectly--such as by failing to properly configure the product, secure encryption keys, or train users--can, at best, result in a false sense of security and, at worst, render data permanently inaccessible. Designing, building, and effectively implementing commercially available cryptographic technologies involves more than installing the technology. Decisions must be made for managing encryption keys and related cryptographic components, as well as for managing mobile devices and using public key infrastructure (PKI) technologies. Ultimately, the effectiveness of the encryption technologies used to protect agency information and reduce risk depends on how an agency implements and manages these technologies and the extent to which they are an integral part of an effectively enforced information security policy that includes sound practices for managing encryption keys. Encryption Key Management Considerations: Policies and procedures. Comprehensive policies for the management of encryption and decryption keys--the secret codes that lock and unlock the data--are an important consideration. Providing lifetime management of private keys and digital certificates across hundreds of applications and thousands of servers, end-users, and networked devices can quickly strain an agency's resources. For example, if a key is lost or damaged, it may not be possible to recover the encrypted data. Therefore, it is important to ensure that all keys are secured and managed properly by planning key management processes, procedures, and technologies before implementing storage encryption technologies. According to NIST, this planning would include all aspects of key management, including key generation, use, storage, and destruction. It would also include a careful consideration of how key management practices can support the recovery of encrypted data if a key is inadvertently destroyed or otherwise becomes unavailable (for instance, because a user unexpectedly resigns or loses a cryptographic token containing a key). An example of recovery preparation is storing duplicates of keys in a centralized, secured key repository or on physically secured removable media. Additional considerations for the encryption of removable media are how changing keys may affect access to encrypted storage on the media and what compensating controls could be developed, such as retaining the previous keys in case they are needed. Key storage location. Another consideration that NIST describes is deciding where the local keys will be stored. For some encryption technologies, such as full disk encryption and many file/folder encryption products, there are often several options for key location, including the local hard drive, a flash drive, a cryptographic token, or a trusted platform module chip. Some products also permit keys to be stored on a centralized server and retrieved automatically after the user authenticates successfully. For virtual disk encryption, the main encryption key is often stored encrypted within the disk or container itself. Access to encryption keys. Another consideration is properly restricting access to encryption keys. According to NIST, storage encryption technologies should require the use of one or more authentication mechanisms, such as passwords, smart cards, and cryptographic tokens, to decrypt or otherwise gain access to a storage encryption key. The keys themselves should be logically secured (encrypted) or physically secured (stored in a tamper-resistant cryptographic token). The authenticators used to retrieve keys should also be secured properly. Managing cryptographic components related to encryption keys. In addition to key management, NIST describes several other considerations when planning a storage encryption technology. Setting the cryptography policy involves choosing the encryption algorithm, mode of cryptographic operation, and key length. Federal agencies must also use NIST-validated cryptographic modules configured for FIPS-compliant algorithms and key lengths. In addition, several FIPS-compliant algorithms are available for integrity checking. Another consideration for managing cryptographic components is how easily an encryption product can be updated when stronger algorithms and key sizes become available in the future. Other Implementation Considerations: Centralized management of mobile devices. NIST recommends centralized management for most storage encryption deployments because of its effectiveness and efficiency for policy verification and enforcement, key management, authenticator management, data recovery, and other management tasks. Centralized management can also automate these functions: deployment and configuration of storage encryption software to end user devices, distribution and installation of updates, collection and review of logs, and recovery of information from local failures. PKI technology. Because PKI technology uses a public key as part of its encryption system, PKI systems with key management can be used to avoid the problem of lost keys. Data encrypted with PKI relies on one public key, so the private key of the person encrypting the data isn't necessarily required to decrypt it. However, if an unauthorized user is able to obtain a private key, the digital certificate could then be compromised. Agencies considering PKI technology must ensure that the key systems of different agencies are compatible for cross-agency collaboration on tasks such as security incident information sharing. Further, users of certificates are dependent on certification authorities to verify the digital certificates. If a valid certification authority is not used, or a certification authority makes a mistake or is the victim of a cyber attack, a digital certificate may be ineffective. Ongoing maintenance of encryption technologies. Systems administrators responsible for encryption technology maintenance should be able to configure and manage all components of the technology effectively and securely. According to NIST, it is particularly important to evaluate the ease of deployment and configuration, including how easily the technology can be managed as the technology is scaled to larger deployments. Another consideration is the ability of administrators to disable configuration options so that users cannot circumvent the intended security. Other maintenance considerations NIST describes include the effects of patching/upgrading software, changing software settings (changing cryptographic algorithms or key sizes), uninstalling or disabling encryption software, changing encryption/decryption keys, and changing user or administrator passwords. [End of section] Appendix III: Hindrances Faced by Agencies when Implementing Encryption: Preparing an agency for encryption presents numerous challenges to agencies, including selecting an adequate combination of cost-effective baseline security controls, properly configuring the networks and user devices within the information technology (IT) infrastructure to accommodate selected encryption technologies, providing training to personnel, and managing encryption keys. In response to our survey, agencies reported several conditions that hinder their ability to encrypt sensitive information as required by the Office of Management and Budget. In response to our survey, all 24 agencies reported hindrances with implementing encryption. These hindrances included prohibitive costs; user acceptance; user training; data backup and recovery; data archival and retrieval; interoperability; infrastructure; vendor support for encryption products acquired; availability of FIPS-compliant products to meet the needs of uncommon or unique devices, applications, or environments within the agency's IT infrastructure; and management support for migration to encryption controls. Agencies noted the level of hindrance caused by these challenges ranged from little or no hindrance to great or very great hindrance. The most challenging conditions are discussed below. Prohibitive costs. Nine agencies reported that the cost of acquiring and implementing encryption was their greatest hindrance, and 13 agencies cited this condition as somewhat of a hindrance or a moderate hindrance. As reported in appendix IV, a governmentwide initiative (SmartBUY) has been established to assist agencies with overcoming this hindrance. User acceptance and training. Some encryption technologies can be burdensome to users and can require specialized training on encryption concepts and proper installation, maintenance, and use of encryption products. Sixteen agencies reported facing somewhat of a hindrance or a moderate hindrance in obtaining user acceptance of encryption implementations and in training personnel. Four agencies reported a great or very great hindrance from lack of user acceptance, and 2 agencies reported a great hindrance from insufficient training. Data backup, recovery, archiving, and retrieval. Agencies must establish policies and procedures for management of encryption keys, which are necessary to recover data from back-ups in the event of a service interruption or disaster, or to retrieve data in archived records, perhaps many years in the future. For example, if the key is not properly backed up and is on a server that has been destroyed in a fire or the key used to encrypt archived records changes over time, data encrypted with the key may be irretrievably lost. Sixteen agencies reported facing somewhat of a hindrance or a moderate hindrance with backup and recovery, and 15 agencies reported the same level of hindrance with data archiving and retrieval. Interoperability. Key systems and technologies of different agencies need to be compatible with each other for cross-agency collaboration. Five agencies reported that lack of interoperability was a great or very great hindrance, and 13 reported somewhat of a hindrance or a moderate hindrance. Infrastructure considerations. Six agencies reported facing a great or very great hindrance in readying their IT infrastructure for encryption and 11 reported this was somewhat of a hindrance or a moderate hindrance. Table 6 summarizes the number of agencies reporting the extent to which 10 conditions affect their agency's ability to implement encryption. Table 6: Hindrances to Implementing Encryption at Federal Agencies: Hindrance: Prohibitive costs; Little or no hindrance: 2; Some hindrance: 8; Moderate hindrance: 5; Great or very great hindrance: 9. Hindrance: Lack of user acceptance; Little or no hindrance: 3; Some hindrance: 12; Moderate hindrance: 4; Great or very great hindrance: 4. Hindrance: Difficulties with data backup and recovery; Little or no hindrance: 5; Some hindrance: 10; Moderate hindrance: 6; Great or very great hindrance: 3. Hindrance: Insufficient training; Little or no hindrance: 4; Some hindrance: 13; Moderate hindrance: 3; Great or very great hindrance: 2. Hindrance: Difficulties with archiving and retrieving; Little or no hindrance: 5; Some hindrance: 12; Moderate hindrance: 3; Great or very great hindrance: 3. Hindrance: Lack of interoperability; Little or no hindrance: 3; Some hindrance: 6; Moderate hindrance: 7; Great or very great hindrance: 5. Hindrance: Lack of infrastructure readiness; Little or no hindrance: 7; Some hindrance: 2; Moderate hindrance: 9; Great or very great hindrance: 6. Hindrance: Lack of vendor support; Little or no hindrance: 8; Some hindrance: 8; Moderate hindrance: 6; Great or very great hindrance: 1. Hindrance: Lack of FIPS-compliant products; Little or no hindrance: 7; Some hindrance: 6; Moderate hindrance: 4; Great or very great hindrance: 4. Hindrance: Lack of management acceptance; Little or no hindrance: 7; Some hindrance: 9; Moderate hindrance: 1; Great or very great hindrance: 2. Source: GAO analysis of agency-reported data. Respondents were permitted to select more than one condition. [End of table] Although agencies reported facing hindrances to implementing encryption, a new program (GSA SmartBUY specific to encryption products) established after we started our review, offers agencies options to overcome key hindrances. For example, prohibitive costs and acquiring FIPS-compliant products are two hindrances that agencies may be able to address through SmartBUY. As discussed in appendix IV, discounted pricing is available for data-at-rest encryption software. In addition, all products available through SmartBUY use cryptographic modules validated under FIPS 140-2 security requirements. [End of section] Appendix IV: GSA SmartBUY Program for Data-at-Rest Encryption Products: To help agencies comply with OMB requirements for encrypting information on mobile devices, a governmentwide acquisition vehicle was established for encryption products for stored data. Through a governmentwide program known as SmartBUY (Software Managed and Acquired on the Right Terms), agencies can procure encryption software at discounted prices. According to the General Services Administration (GSA), SmartBUY is a federal government procurement vehicle designed to promote effective enterprise-level software management. By leveraging the government's immense buying power, SmartBUY could save taxpayers millions of dollars through governmentwide aggregate buying of commercial off-the-shelf software products. SmartBUY officially began in 2003, when OMB issued a memo emphasizing the need to reduce costs and improve quality in federal purchases of commercial software.[Footnote 38] The memo designates GSA as the executive agent to lead the interagency initiative in negotiating governmentwide enterprise licenses for software. SmartBUY establishes strategic enterprise agreements with software publishers (or resellers) via blanket purchase agreements. OMB Memorandum 04-08, Maximizing Use of SmartBUY and Avoiding Duplication of Agency Activities with the President's 24 E-Gov Initiatives, requires agencies to review SmartBUY contracts to determine whether they satisfy agency needs--such as for products to encrypt stored data--and, absent a compelling justification for doing otherwise, acquire their software requirements from the SmartBUY program. The issuance of OMB's May 2006 recommendation to encrypt mobile devices contributed to the addition of 11 SmartBUY agreements for stored data encryption products established in June 2007. The products offered fall into one of three software and hardware encryption product categories: full disk encryption, file encryption, or integrated full disk/file encryption products. All products use cryptographic modules validated under FIPS 140-2 security requirements. Volume discounts on encryption products are available when purchasing in tiers of 10,000, 33,000, and 100,000 users. Each of the 11 agreements has its own pricing structure, which may include maintenance and training in addition to licenses for users. Discounts on volume pricing can range up to 85 percent off GSA schedule prices. Table 7 provides an example of the discounted pricing available from 1 of the 11 SmartBUY agreements for encryption software. Table 7: Examples of Volume Discount Pricing Available through SmartBUY: Order quantity: 1-99; Commercial list price: $199.00; GSA schedule price: $171.08; SmartBUY price: $133.52. Order quantity: 100-499; Commercial list price: 164.00; GSA schedule price: 140.99; SmartBUY price: 102.47. Order quantity: 500-999; Commercial list price: 149.00; GSA schedule price: 128.10; SmartBUY price: 94.19. Order quantity: 1,000-1,999; Commercial list price: 133.00; GSA schedule price: 114.34; SmartBUY price: 81.77. Order quantity: 2,000-2,999; Commercial list price: 119.00; GSA schedule price: 102.31; SmartBUY price: 76.59. Order quantity: 3,000-4,999; Commercial list price: 111.00; GSA schedule price: $95.43; SmartBUY price: 71.42. Order quantity: 5,000-9,999; Commercial list price: 98.00; GSA schedule price: [Empty]; SmartBUY price: 67.50. Order quantity: 10,000-24,999; Commercial list price: $83.00; GSA schedule price: [Empty]; SmartBUY price: 54.75. Order quantity: 25,000-49,999; Commercial list price: [Empty]; GSA schedule price: [Empty]; SmartBUY price: 44.00. Order quantity: 50,000-99,999; Commercial list price: [Empty]; GSA schedule price: [Empty]; SmartBUY price: 37.00. Order quantity: 100,000-199,999; Commercial list price: [Empty]; GSA schedule price: [Empty]; SmartBUY price: $30.00. Source: GSA supplied documentation. [End of table] As of January 2008, 10 agencies had purchased encryption products--such as software licenses, annual maintenance services, and training--from the stored data SmartBUY list, realizing significant cost savings. One of those agencies--the Social Security Administration--purchased 250,000 licenses of one of the stored data products at a savings of $6.7 million off the GSA schedule prices. Additionally, USDA negotiated an agreement for 180,000 licenses at $9.63 each, as opposed to the GSA unit price of $170 per license. The large number of licenses acquired allowed USDA to negotiate the low price. Several agencies noted that considering an enterprisewide deployment of encryption can be helpful with issues of standardization, interoperability, and infrastructure readiness. While 10 agencies have already acquired encryption products through the SmartBUY program, several agencies are still in the process of assessing which encryption products (including those available under the SmartBUY program) will best suit agency needs. [End of section] Appendix V Comments from the Office of Management and Budget: Executive Office Of The President: Office Of Management And Budget: Washington, DC. 20503 June 19, 2008 Gregory C. Wilshusen: Director, Information Security Issues: United States Government Accountability Office: 441 G St., NW: Washington, D.C. 20548: Dear Mr. Wilshusen: Thank your for the opportunity to review and comment on General Accountability Office's (GAO's) draft report entitled, "Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains." The Office of Management and Budget (OMB) appreciates the work GAO has devoted to this issue. As the draft report indicates, OMB has been working to provide Federal Departments and agencies with the tools and guidance necessary for the implementation and use of encryption appropriately to protect Federal information. In OMB Memorandum M-06- 16, dated June 23, 2006, "Protection of Sensitive Agency Information," OMB recommended agencies "encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing." In OMB Memorandum M-07-16, dated May 22, 2007, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information," OMB required agencies to implement this policy for personally identifiable information. In order to help agencies implement encryption requirements, OMB has been working with both the Commerce Department's National Institute of Standards and Technology (NIST) and the General Services Administration (GSA) to provide agencies with guidance and tools. GSA and the Department of Defense established a Software Managed and Acquired on the Right Terms (SmartBUY) agreement for products certified through the NIST Federal Information Processing Standards (F1PS) 140-2 Cryptomodule Validation Program. Agencies are using these certified products to encrypt data on agency information systems. SmartBUY is a Federal government procurement vehicle designed to promote effective enterprise level software acquisition and management. By leveraging the government's immense buying power, SmartBUY has saved taxpayers millions of dollars through government wide aggregate buying of Commercial off-the-shelf (COTS) software products, and agencies are utilizing new SmartBUY agreements to acquire quality security products at lower costs. To date, the Federal government has avoided and/or saved more than $600 million dollars ($133 million in 2007) through the use of this program. Benefits of the SmartBUY program are not confined solely to Federal agencies; the encryption Blanket Purchase Agreement (BPA) was written so that state and local governments can also take advantage of this opportunity. The state and local governments are participating under GSA's Cooperative Purchasing Program, which allows them to purchase IT products and services from both GSA's Multiple Award Schedule 70 and Consolidated Schedules that have IT special item numbers. To date 127,296 licenses have been issued across 15 states (including local governments). This has resulted in savings of $24 million on purchases of encryption software through use of these Federal contracts and approximately $8 million using the special state and local government offers -- for a total of more than $32 million in savings/cost avoidance to date. In addition to ensuring agencies have appropriate guidance and tools, OMB closely monitors agency progress on policy implementation through a variety of mechanisms, including the President's Management Agenda (PMA) E-Government Scorecard. The PMA E-Government Scorecard process includes ongoing staff-level dialogue between OMB and the agencies, and quarterly oversight assessments which OMB discusses with agency managers. The draft GAO report makes two recommendations to the OMB Director. These draft recommendations are for OMB to: * Clarify government-wide policy requiring agencies to encrypt sensitive agency data through the promulgation of additional guidance and/or through educational activities. * Monitor the effectiveness of agency encryption implementation plans and agency efforts to inventory the sensitive information it holds. OMB will carefully consider these recommendations to determine whether or not any additional activities in these areas will help to improve the effective implementation and use of encryption products across the Federal government. In particular, we will attempt to leverage existing government wide educational vehicles and forums, such as the CIO Council's Best Practices Committee. Thank you again for the opportunity to comment on the draft report. Sincerely, Karen S. Evans: Administrator, Office of E-Government and Information Technology: [End of section] Appendix VI: Comments from the Department of Education: United States Department Of Education: Office Of The Chief Information Officer: The Chief Information Officer: 400 Maryland Avenue, S.W. Washington D.C. 20202: [hyperlink, http://www.ed.gov]: May 28, 2008: Mr. Gregory C. Wilshusen: Director, Information Security Issues: Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Wilshusen: I am providing comments on behalf of the U.S. Department of Education (Department) on the five recommendations listed on page 40 of the DRAFT report by the General Accountability Office (GAO) (GAO-08-525), "Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains." The draft report includes recommendations that the Secretary of the Department of Education direct the chief information officer to take five actions to improve the management of encryption technologies throughout the agency. We have the following responses regarding the recommendations: Recommendation 1. Evaluate, select, and install FIPS 140-compliant products for all encryption needs and document a plan for implementation that addresses protection of all sensitive information stored and transmitted by the agency. The Department has already implemented many solutions with regard to encryption technologies to safeguard data. We plan to further evaluate current safeguards and determine what improvements would be appropriate. Thus, we agree with GAO's recommendation to evaluate, select, and install additional Federal Information Processing Standards (FIPS) 140-2 compliant solutions for all encryption needs and for documenting plans for addressing the protection of all sensitive information stored and transmitted by the Department. Recommendation 2. Configure installed FIPS-compliant encryption technologies in accordance with NIST-approved security settings for the product. The Department agrees with GAO's recommendation for configuring all currently installed FIPS-compliant encryption technologies in accordance with National Institute of Standards and Technology (NIST)- approved security settings. The Department further intends to develop plans to ensure that all virtual private network (VPN) devices/software are FIPS certified. We have directed the Department's contractor under the "Educate contract," our contract for information technology (IT), to provide various plans, including a sequence plan with milestones, a compliance plan, an interoperability plan, and a risk management plan. We will ask the contractor to provide recommendations and milestones for our review and concurrence. Recommendation 3. Develop and implement departmentwide policy and procedures for encryption key establishment and management. The Department agrees with GAO's recommendation to develop and implement a department-wide policy and procedures for encryption key establishment and management, including procedures for the use of FIPS- compliant cryptography. We expect that our policy and procedures for addressing encryption key establishment, key management, and use of FIPS-compliant cryptography technologies will be in final form in July o f 2008. Recommendation 4. Develop and implement departmentwide procedures for use of FIPS-compliant cryptography. The Department agrees with GAO's recommendation to develop and implement department-wide procedures for use of FIPS-compliant cryptography. In addition to our efforts for developing policies, the Department's Office of the Chief Information Officer has been reviewing emerging (and "disruptive") technologies that provide encryption on an "enterprise" basis for both "data at rest" and "data in motion." The Department is also encouraging its primary IT services contractor to consider those technologies that go beyond the current standard of care in the "encryption" industry. Some of these technologies may solve the expensive "key-logger" problem by encrypting data at the "bit/byte" level, thereby making administration of encryption keys much less cumbersome. Because the EDUCATE contract that the Department has with its primary IT service provider is a "performance based" contract, the Department may not direct the specific "means and methods" of performance there under. However, we are expecting that performance under the contract will result in appropriate department-wide procedures for use of FIPS-compliant cryptography. Recommendation 5. Develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used. The Department agrees with GAO's recommendation to develop and implement a training program on encryption with regard to its direct application to us, and we are already enhancing our training in this area. The Department's on-line security awareness and specialized training program is reviewed and updated annually to help ensure that appropriate improvements are made, including coverage of additional relevant topics. The Department also intends to include encryption as part of its annual security awareness and specialized training program under the Federal Information Security Management Act in Fiscal Year 2009. This training will include how to use encryption technologies implemented department-wide, how encryption works and what capabilities it can provide, what encryption is, what it can and cannot do, and where it fits into the securing of the Department's vital information assets. We appreciate the information provided in the draft report. Please let us know if you have any questions about our comments. Sincerely, Signed by: Bill Vajda: Chief Information Officer: [End of section] Appendix VII Comments from the Department of Housing and Urban Development: U.S. Department Of Housing And Urban Development: Washington, DC 20410-3000: Chief Information Officer: May 28, 2008: Mr. Gregory C. Wilshusen: Director, Information Security Issues: Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Wilshusen: Thank you for the opportunity to comment on the Government Accountability Office (GAO) draft report entitled "Federal Agencies Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains, job code 310590. The Department of Housing and Urban Development has reviewed the draft report and is providing the following comments to the recommendations: Evaluate, select, and install FIPS 140-compliant products for all encryption needs and document a plan for implementation that addresses protection of all sensitive information stored and transmitted by the agency. To date, HUD has implemented a FIPS-compliant encrypted flash drive as the enterprise standard, and identified a FIPS-compliant laptop encryption solution which will be implemented in FY2009. HUD will continue to implement FIPS compliant products, in accordance with NIST- approved security settings, to safeguard stored and transmitted sensitive information. Configure installed FIPS-compliant encryption technologies in accordance with NIST- approved security settings for the product. All FIPS compliant encryption technologies security settings are and will be configured in accordance with NIST. Develop and implement department-wide procedures for the use of BPS- compliant cryptography and for encryption key establishment and management. Department-wide procedures will be reviewed to ensure references to use of FIPS- compliant cryptography and encryption key establishment and management are current. In conclusion, HUD agrees with the GAO recommendations and remains committed to strengthen the encryption of sensitive information by implementing plans for fully satisfying each of the conditions identified in GAO's review. More definitive information with timelines will be provided once the final report has been issued If you have any questions or require additional information, please contact Shelia Fitzgerald, Acting Director, Office of Investments, Strategy, Policy and Management at (202)-402-2432. Sincerely, Signed by: Joseph M. Milazzo: Acting Chief Information Officer: [End of section] Appendix VIII: Comments from the Department of State: United States Department of State: Assistant Secretary for Resource Management and Chief Financial Officer: Washington, D.C. 20520: Ms. Jacquelyn Williams-Bridgers: Managing Director: International Affairs and Trade: Government Accountability Office: 441 G Street, N.W.: Washington, D.C. 20548-0001: May 28 2008: Dear Ms. Williams-Bridgers: We appreciate the opportunity to review your draft report, "Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains," GAO Job Code 310590. The enclosed Department of State comments are provided for incorporation with this letter as an appendix to the final report. If you have any questions concerning this response, please contact Peter Gouldmann, Systems Authorization Chief, Bureau of Information Resource Management at (703) 812-2500. Sincerely, Signed by: Bradford R. Higgins: cc: GAO � Greg Wilshesen: IRM � Susan Swart: State/OIG � Mark Duda: Department of State Comments on GAO Draft Report: Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains (GAO-08-525, GAO Code 310590) The Department of State appreciates the opportunity to comment on GAO's draft report entitled "Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains." The subject GAO report recommends the following to the Secretary of State. "To improve the life cycle management of encryption technologies at the Department of State, we recommend that the Secretary of State direct the chief information officer to take the following two actions: Develop and implement department-wide policy and procedures for encryption key establishment and management. Develop and implement department-wide procedures for use of Federal Information Processing Standards (FIPS)-compliant cryptography." The Department of State concurs with the GAO recommendations and is working towards completing the suggested actions. With regard to the first recommendation, the Department has effectively managed the Department's military grade, Type 1 encryption for several decades. Additionally, the Department effectively manages an enterprise- wide Public Key Cryptography program. Several All Diplomatic and Consular Post cables (ALDACs), accompanied by memorandums for domestic offices provided interim policy guidance mandating the encryption of government owned mobile devices. On May 1, 2007, the Department sent an ALDAC that mandated the use of encryption on all Department owned laptop hard drives, regardless of whether they held sensitive information or not. On December 14, 2007, in a second ALDAC, the Department expanded requirements to all mobile devices and media. Subsequently, on April 3, 2008 a third ALDAC was sent announcing availability of a Department acquired FIPS 140-2 compliant encryption solution with central management capabilities. Work is underway to codify this interim guidance and expand it to encompass all unclassified key establishment and management into the Foreign Affairs Manual. With regard to the second recommendation, as previously referenced, the third ALDAC sent April 3, 2008, announced the availability of adequate licenses of a FIPS 140-2 compliant encryption product to encrypt the hard drives of all Department-owned unclassified laptops. In addition to laptops, remote access to the Department's unclassified network is provided using FIPS 140-2 compliant encryption employed in two VPN access solutions. For removable media, the Department has FIPS 140-2 compliant encryption software for some applications, and is evaluating other software for the remaining uses. Policy and procedures for effective central management are being developed. [End of section] Appendix IX: Comments from the General Services Administration: GSA: May 29, 2008: The Honorable Gene L. Dodaro: Acting Comptroller General of the United States: Government Accountability Office: Washington, DC 20548: Dear Mr. Dodaro: The General Services Administration (GSA) appreciates the opportunity to review and comment on the draft report, "Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains" (GAO-08-525). The Government Accountability Office recommends that GSA improve its life cycle management of encryption technologies by developing and implementing agency-wide policy and procedures for encryption key establishment and management along with developing procedures for use of FIPS compliant cryptography. We agree with the findings and recommendations and will use the report findings to improve GSA's life cycle management of encryption technologies. Enclosed is GSA's response to the referenced recommendations. If you have any questions, please contact me. Staff inquiries can be directed to Mr. Kevin Messner, Associate Administrator, Office of Congressional and Intergovernmental Affairs, at (202) 501-0563. Sincerely, Signed by: David L. Bibb: Acting Administrator: Enclosure cc: Mr. Gregory C. Wilshusen Director: Information Technology Issues: U.S. Government Accountability Office: Washington, DC 20548: Government Accountability Office (GAO) Draft Report Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains: GAO-08-525 � Dated June 2008 General Services Administration Comments to the Recommendations: Recommendation 1: GAO recommends that the Acting Administrator direct the Chief Information Officer to develop and implement department-wide policy and procedures for encryption key establishment and management. GSA Response: Concur with recommendation. GSA agrees with the recommendation and will develop and implement agency-wide policy and procedures for encryption key establishment and management. Recommendation 2: GAO recommends that the Acting Administrator direct the Chief Information Officer to develop and implement department-wide procedures for use of FIPS-compliant cryptography. GSA Response: Concur with recommendation. GSA agrees with the recommendation and will develop and implement agency-wide procedures for use of FIPS-compliant cryptography. [End of section] Appendix X Comments from the National Aeronautics and Space Administration: National Aeronautics and Space Administration: Office of the Administrator: Washington, DC 20546-0001: June 3, 2008: Mr. Gregory C. Wilshusen: Director, Information Security Issues: United States Government Accountability Office: Washington, DC 20548: Dear Mr. Wilshusen: Thank you for the opportunity to review and comment on the draft report entitled, Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains (GAO-08-525). In its draft report, the GAO reports several findings from its audit of systems at NASA, followed by three recommended actions. The GAO recommends that, "As the National Aeronautics and Space Administration continues to plan for a departmentwide encryption solution and to improve the life cycle management of encryption technologies, we recommend that the Administrator of National Aeronautics and Space Administration direct the chief information officer to take the following three actions." Recommendation: Establish and implement a mechanism to monitor the successful installation and effective functioning of encryption products installed on devices. Response: NASA concurs with this recommendation. As noted in the GAO report, successful implementation of an encryption method includes monitoring the effectiveness of installed cryptographic controls. In following this guidance, NASA formed an Agency team chartered to provide a recommendation for an enterprise data-at-rest encryption solution. In addition to recommendations from NIST SP800-21, the requirements for this enterprise solution included the ability to continuously monitor the encryption state of every device. NASA has selected a vendor to provide an enterprise encryption solution based on these requirements and has allocated significant resources (personnel and dollars) this fiscal year to implement a centrally managed full-disk encryption solution to replace its current solution. Once this solution is implemented, targeted for April 2009, NASA will be able to provide central reporting on each laptop and desktop encrypted with this software. NASA will be able to push new policies to these systems and remotely disable any laptop or removable media device that is reported lost or stolen. This state- of-the-art encryption functionality will significantly improve NASA's ability to meet its data encryption responsibilities. Recommendation: Develop and implement departmentwide policy and procedures for encryption key establishment and management. Response: NASA concurs with this recommendation. As noted above, the Agency took great care in using the guidance from Government publications in selecting the best encryption solution, including guidance on key establishment and management from NIST SP800-21. NASA policy and detailed procedures currently exist for how encryption keys are created, tracked, revoked, and managed. As part of the implementation of the Agency enterprise solution for data-at-rest encryption, NASA will further document the procedural framework for establishing and managing encryption keys and will disseminate existing and new policies and procedures across the Agency. Recommendation: Develop and implement a training program that provides technical support and end-user personnel with adequate training on encryption concepts, including proper operation of the specific encryption products used. Response: NASA concurs with this recommendation. Further, NASA believes that the most effective encryption technology is completely transparent to the end user and provides constant protection without end user intervention. Many of the modem full-disk encryption solutions offer this level of transparency, including the one selected for deployment at NASA. Training is, nevertheless, a key requirement of the selected solution, and product-specific training will be created and made available to all users as part of the implementation of NASA's enterprise data-at-rest encryption solution. NASA will work with the vendor to create training materials for specific audiences. Topics will include proper use of the product and encryption concepts for the end user as well as troubleshooting, policy creation, forensic integration, and administration for the support staff. My point of contact for this matter is Jerry L. Davis, Deputy Chief Information Officer for Information Technology Security. He may be contacted by e-mail at [email protected] or by telephone at (202) 358-1401. Sincerely, Signed by: Shana Dale: Deputy Administrator: [End of section] Appendix XI GAO Contact and Staff Acknowledgments: GAO Contact: Gregory C. Wilshusen, (202) 512-6244, [email protected]: Staff Acknowledgments: In addition to the individual named above, Nancy DeFrancesco (Assistant Director), James Ashley, Debra Conner; Season Dietrich, Neil Doherty, Nancy Glover, Joel Grossman, Ethan Iczkovitz, Stanley J. Kostyla, Lowell Labaro, Rebecca Lapaze, Anjalique Lawrence, Harold Lewis, Lee McCracken, and Tammi L. Nguyen made key contributions to this report. [End of section] Glossary: Access Control: Process of determining the permissible activities of users and authorizing or prohibiting activities by each user. Authentication: Process of confirming an asserted identity with a specified or understood level of confidence. Authorization: Granting the appropriate access privileges to authenticated users. Card Management System: A system that manages life cycle maintenance tasks associated with the credentials, such as unlocking the personal identity verification cards during issuance or updating a personal identification number or digital certificate on the card. Certificate: A digital representation of information that (1) identifies the authority issuing the certificate; (2) names or identifies the person, process, or equipment using the certificate; (3) contains the user's public key; (4) identifies the certificate's operational period; and (5) is digitally signed by the certificate authority issuing it. A certificate is the means by which a user is linked--or bound--to a public key. Ciphertext: Data in an encrypted form. Container: The file used by a virtual disk encryption technology to encompass and protect other files. Credential: An object, such as a smart card, that identifies an individual as an official representative of, for example, a government agency. Digital Signature: The result of the transformation of a message by means of a cryptographic system using digital keys, so that a relying party can determine (1) whether the transformation was created using the private key that corresponds to the public key in the signer's digital certificate and (2) whether the message has been altered since the transformation was made. Digital signatures may also be attached to other electronic information and programs so that the integrity of the information and programs may be verified at a later time. Electronic Credentials: The electronic equivalent of a traditional paper-based credential--a document that vouches for an individual's identity. End-to-End Encryption: The encryption of information at its origin and decryption at its intended destination without any intermediate decryption. File: A collection of information that is logically grouped into a single entity and referenced by a unique name, such as a file name. Folder: An organizational structure used to group files. Full Disk Encryption: The process of encrypting all the data on the hard drive used to boot a computer, including the computer's operating system, that permits access to the data only after successful authentication with the full disk encryption product. Hardware Based Encryption: Encryption that is normally performed by dedicated hardware in the client/host system. Identification: The process of determining to what identity a particular individual corresponds. Key: A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification. Malware: A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or of otherwise annoying or disrupting the victim. Master Boot Record: A computer's master boot record is a reserved sector on its bootable media that determines which software (e.g., operating system, utility) will be executed when the computer boots from the media. Operating System: The program that, after being initially loaded into the computer by a boot program, manages all the other programs in a computer. Examples of operating systems include Microsoft Windows, MacOS, and Linux. The other programs are called applications or application programs. The application programs make use of the operating system by making a request for service through a defined application program interface. In addition, users can interact directly with the operating system through a user interface such as a command language or a graphical user interface. Private Key: The secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data. Public Key: The public part of an asymmetric key pair that is typically used to verify signatures or encrypt data. Public Key Infrastructure: A system of hardware, software, policies, and people that, when fully and properly implemented, can provide a suite of information security assurances--including confidentiality, data integrity, authentication, and nonrepudiation--that are important in protecting sensitive communications and transactions. Risk: The expectation of loss expressed as the probability that a threat will exploit a vulnerability with a harmful result. Senstitive Information: Any information that an agency has determined requires some degree of heightened protection from unauthorized access, use, disclosure, disruption, modification, or destruction because of the nature of the information, e.g., personal information required to be protected by the Privacy Act of 1974, proprietary commercial information, information critical to agency program activities, and information that has or may be determined to be exempt from public release under the Freedom of Information Act. Standard: A statement published on a given topic by organizations such as the National Institute of Standards and Technology, the Institute of Electrical and Electronics Engineers, the International Organization for Standardization, and others specifying characteristics--usually measurable ones--that must be satisfied to comply with the standard. Trusted Platform Module Chip: A tamper-resistant integrated circuit built into some computer motherboards that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information such as passwords and cryptographic keys. Virtual Disk Encryption: The process of encrypting a container, which can hold many files and folders, and of permitting access to the data within the container only after proper authentication is provided. In this case, the container is typically mounted as a virtual disk; it appears to the user as a logical disk drive. Virtual Private Network: A virtual private network is a logical network that is established, at the application layer of the open systems interconnection model, over an existing physical network and typically does not include every node present on the physical network. [End of section] Footnotes: [1] As used in this report, the term �sensitive information� refers to any information that an agency has determined requires some degree of heightened protection from unauthorized access, use, disclosure, disruption, modification, or destruction because of the nature of the information, e.g., personal information required to be protected by the Privacy Act of 1974, proprietary commercial information, information critical to agency program activities, and information that has or may be determined to be exempt from public release under the Freedom of Information Act. [2] GAO, Privacy: Preventing and Responding to Improper Disclosures of Personal Information, GAO-06-833T(Washington, D.C.: June 8, 2006). [3] Encryption is a subset of cryptography, which is used to secure transactions by providing ways to ensure data confidentiality (assurance that the information will be protected from unauthorized access), data integrity (assurance that data have not been accidentally or deliberately altered), authentication of the message's originator, electronic certification of data, and nonrepudiation (proof of the integrity and origin of data that can be verified by a third party). [4] For purposes of this report, the terms "personally identifiable information" and "personal information" refer to any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or biometric records, and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. [5] The 24 major federal agencies are the Agency for International Development; the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency; the General Services Administration; the National Aeronautics and Space Administration; the National Science Foundation; the Nuclear Regulatory Commission; the Office of Personnel Management; the Small Business Administration; and the Social Security Administration. [6] "System of records" is defined as a group of records under the control of an agency from which information is retrieved by the name of the individual or by an individual identifier. [7] Critical infrastructures include cyber and physical, public and private infrastructures that are essential to national security, national economic security, or national public health and safety. [8] J. Michael McConnell, Annual Threat Assessment of the Director of National Intelligence for the Senate Select Committee on Intelligence, Feb. 5, 2008. [9] Security controls--access controls--should provide reasonable assurance that computer resources (data files, application programs, and computer-related facilities and equipment) are protected. Such controls include physical access controls, such as keeping computers in locked rooms, and logical access controls, such as security software programs designed to prevent or detect unauthorized access to sensitive files. [10] A system interconnection is the direct connection of two or more IT systems for the purpose of sharing data and other information resources. [11] NIST, Special Publication 800-11, Guide to Storage Encryption Technologies for End User Devices (Gaithersburg, Maryland: November 2007). [12] A key is a value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification. [13] NIST, Information Technology Laboratory Bulletin: Advising Users on Information Technology, (Gaithersburg, Maryland: March 2007). [14] NIST, Special Publication 800-11. [15] Microsoft Corporation, Windows Mobile Devices and Security: Protecting Sensitive Business Information, (March 2006). [16] NIST, Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems, (Gaithersburg, Maryland: August 2002). [17] NIST, Special Publication 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, (Gaithersburg, Maryland: October 2000). [18] Public key infrastructure is a system of hardware, software, policies, and people that, when fully and properly implemented, can provide a suite of information security assurances--including confidentiality, data integrity, authentication, and nonrepudiation-- that are important in protecting sensitive communications and transactions. For more information about public key infrastructure, see GAO, Information Security: Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology, GAO-01-277 (Washington, D.C.: Feb. 26, 2001). [19] A private key is the secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data. [20] NIST Special Publication 800-48, Wireless Network Security 802.11, Bluetooth and Handheld Devices, (Gaithersburg, Maryland: November 2002). [21] Pub. L. No. 107-347 (Dec. 17, 2002). [22] Pub. L. No. 104-191 (Aug. 21, 1996). [23] Pub. L. No. 109-461 (Dec. 22, 2006). [24] OMB Memorandum 04-04 requires agencies with systems using remote authentication to conduct special electronic authentication risk assessments and select proper controls as recommended by NIST to protect sensitive information on those systems. [25] NIST, Special Publication 800-63, Electronic Authentication Guideline (Gaithersburg, Maryland: April 2006). [26] The checklist provided in M-06-16 provides specific actions to be taken by federal agencies for the protection of personally identifiable information categorized in accordance with FIPS 199 as moderate or high impact that is either accessed remotely or physically transported outside of the agency's secured physical perimeter. The security controls and associated control assessment methods/procedures in the checklist were taken from NIST Special Publication 800-53 and NIST Special Publication 800-53A. [27] NIST, Special Publication 800-53 Revision 2, Recommended Security Controls for Federal Information Systems, (Gaithersburg, Maryland: December 2007). [28] FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (Gaithersburg, Maryland: February 2004). [29] Supersedes FIPS 140-1, 1994. [30] OMB M-07-16. [31] FIPS 180-2, 186-3, and 197. [32] FIPS 199. [33] FIPS 200, Minimum Security Requirements for Federal Information and Information System. (Gaithersburg, Maryland: March 2006). [34] We selected six agencies that reported having initiated efforts to install FIPS-validated cryptographic modules encryption technologies on their laptop computers, BlackBerry� devices, or virtual private networks or that had either experienced publicized incidents of data compromise or were expected to collect, store, and transmit a wide range of sensitive information. The six agencies are the General Services Administration; the Departments of Education, Agriculture, Housing and Urban Development, and State; and the National Aeronautics and Space Administration. [35] We were unable to test the installation of encryption products on deployed laptops assigned to State employees because although the inventory provided by the agency indicated that the employees were assigned to the location that we visited, they were actually assigned to posts throughout the world. We instead discussed the encryption installation process with State officials and verified use of a FIPS- validated cryptographic modules product on one unassigned laptop (not from our sample) that agency officials provided for our examination. Officials stated that the laptop inventory provided for our review included only those laptop computers that were assigned for telecommuting and that it did not constitute the entire universe of State's laptops. A State official asserted that all of the telecommuting laptops--about 2,100 in total--were encrypted as a condition for assigning the device to a telecommuting employee and that approximately 19 percent of their remaining laptops were encrypted. [36] We conducted testing at the headquarters locations of the Departments of Housing and Urban Development and State, the General Services Administration, and the National Aeronautics and Space Administration. We conducted testing at the Food and Nutrition Service component of the U.S. Department of Agriculture and at the Federal Student Aid component of the Department of Education. [37] At the Departments of Housing and Urban Development and State, we tested only the BlackBerry server and virtual private networks. [38] OMB, Reducing Cost and Improving Quality in Federal Purchases of Commercial Software (M-03-14), (Washington, D.C. June 2, 2003). GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: [email protected]: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, [email protected]: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, [email protected]: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: *** End of document. ***