The year 2000 was also a memorable time for the IT world. We survived the feared Y2K problem, but the dot-com bubble was about to burst. Google was just a baby and desktop computers dominated the IT landscape.
But the year 2000 is significant in another respect—it was the last time the U.S. federal government (the “Feds”) reviewed and updated its data security policies. We kid you not. Until recently, the Feds were relying on 16 year-old data security policies. As you might expect, the policies contained antiquated notions of data security, including one that listed “password protection” as the only “effective security technique.”
The good news is that the Feds recently reviewed the outdated policies and have released a revised version entitled Circular No. A-130, Managing Information as a Strategic Resource (the “Circular”). The impetus for the Circular, according to the Feds, is the “rapidly evolving digital economy.” If that is true, logic suggests the Feds would have reviewed/updated their data security policies much earlier than they did. The truth is that Feds were forced to take a more proactive approach to data security after a hack occurred last year at the Office of Personnel Management that was described as the “most devastating cyber attack in our nation’s history.”
Certain statements in the Circular demonstrate an understanding by the Feds of the gravity of the situation. For example, the Feds state an awareness that IT is “at the core of nearly everything the Federal Government does.” And to their credit, the Feds acknowledge they “cannot afford to authorize a system and not look at it again for years at a time.” Time will tell whether the Feds practice what they preach.
The release of the Circular generated a great deal of attention, but it is really nothing extraordinary. It’s the type of document the Feds have required of private sector organizations for quite some time. For example, the Federal Trade Commission has a document containing a 10-step data security policy guide for businesses, and the Federal Communications Commission created a similar document for private sector businesses entitled Cyber Security Planning Guide. The Circular incorporates the policies from these two documents (as well as a whole lot more, because it’s tough to stop the Feds once they start writing policies).
The Feds have consistently fined businesses for failing to “implement and maintain” data security policies. Similarly, companies have avoided the wrath of the FTC by showing they had established and implemented “comprehensive” data security policies. Talk about hypocrisy; judging private sector businesses by standards with which the Feds had never complied. I guess it’s good to be the king, so to speak.
They claim the Circular will “drive the transformation of the Federal Government and the way it builds, buys, and delivers technology by institutionalizing more agile approaches intended to facilitate the rapid adoption of changing technologies, in a way that enhances information security, privacy, and management of information resources across all Federal programs and services.” Let’s just say that we are skeptical.
Why? To be effective, policies should be written clearly and concisely, targeted to the end user. Too many policy manuals are ignored or never read because they are too wordy, boring, or confusing. The Circular is all of that. It’s an 85-page monstrosity with a host of problems.
To start with, there are a total of 90 definitions that consume the better part of 12 pages of single-spaced text. To make matters worse, the Circular is replete with general statements of policy, but lacking in understandable specifics. The Circular also points readers to plethora other regulations, such as a requirement to “[i]mplement security policies issued by OMB, as well as requirements issued by the Department of Commerce, the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Office of Personnel Management (OPM). If that weren’t enough, the Circular directs users “to apply the standards and guidelines contained in the NIST FIPS, NIST SPs (e.g., 800 series guidelines), and where appropriate and directed by OMB, NIST Interagency or Internal Reports (NISTIRs).” Good luck with that one!
That said, the Circular has certain favorable aspects that are worth noting. We will discuss this in an upcoming post.
If you have questions about the above content, contact our data security experts at firstname.lastname@example.org.