In response to the embarrassment and perceived threat resulting from the WikiLeaks disclosures in recent months, the Office of Management and Budget has issued a hefty memo with pages of questions that federal agencies must use to conduct an initial assessment of their programs to handle and protect classified information by the end of the month. The document directs agencies to “assess what your agency has done or plans to do to address any perceived vulnerabilities, weaknesses, or gaps on automated systems in the post-WikiLeaks environment.”
The memo, which the director of OMB issued Monday, is a follow-on to a directive sent out in November by OMB regarding the mishandling of classified information that aided the WikiLeaks disclosures. The result of the public embarrassment of the WikiLeaks mess is that the government now wants all of the agencies that handle classified data to reassess the ways that they protect and handle that data in their computer networks.The memo was sent by OMB Director Jacob Lew, and it makes clear that all of the agencies that handle classified data have to complete this initial assessment by Jan. 28.
The questions contained in the memo are somewhat elementary and basic, seemingly aimed at determining whether an agency has any kind of security program in place at all. For example:
- Has your agency identified its high value information and processes that must be protected? What process is in place to update and reevaluate these?
- How does your agency ensure that procedures are in place to prevent classified information in removable media and other media (back-up tapes, etc.) is not removed from official premises without proper authorization?
- Do you control media access devices and ports on your IT systems to prevent data exfiltration?
Some of the questions stray a little bit into the wilderness:
- Do you use psychiatrist and sociologist to measure:
o Relative happiness as a means to gauge trustworthiness?
o Despondence and grumpiness as a means to gauge waning trustworthiness?
- Do you capture evidence of pre-employment and/or post-employment activities or participation in on-line media data mining sites like WikiLeaks or Open Leaks?
Large portions of the questionnaire are devoted to the insider threat and the threat from removable media such as USB drives and CDs. Much of the data that has been disclosed by WikiLeaks is thought to have been removed through the use of USB drives and the government has focused much of its efforts in the months since the disclosures on reducing the number of people–especially lower-level personnel–who have access to sensitive data. But most of the questions in the assessment are things that any government agency–or business of any size–should have addressed long before now.
The memo from Lew also says that both the Information Security Oversight Office and the Office of the Director of National Intelligence will be conducting periodic assessments of agencies’ programs over time.