Data Protection in Government: Who is Watching the Watchers?

Private industry looks to the government for guidance on data protection and data management. When a state passes a new privacy law, or the U.S. government dictates how a person’s healthcare data is handled and protected, organizations take action. Lawyers draft the appropriate policies, and IT teams put the tools in place to comply. But what about those government agencies? Don’t they have sensitive information that needs protecting, too?

The answer is yes. But just as there are data security laws and regulations for businesses and other organizations, laws hold local, state, and federal agencies to account for data protection. Citizens, businesses, and government agencies are compelled to share highly sensitive data with governmental organizations. There is an expectation that those agencies will live up to the trust they demand of us. Think about the kinds of information that governments collect, process, store, and move to provide public services:

  • Citizen and business tax and financial data
  • Legal files for criminal and civil suits
  • Healthcare data
  • Social Security numbers
  • Telephone numbers
  • Email and physical addresses
  • Birth certificates
  • Marital records
  • Military service records
  • Identification documents (drivers license, passport, military, and personal ID)
  • Classified and controlled unclassified military information

That’s just a small sample of the more common types of information. At the federal level, it is covered under the Federal Information Security Management Act (FISMA), part of the E-Government Act of 2002. The E-Government Act was passed in recognition that, as government services transition more and more to online services and digital transactions, individuals, businesses, and other organizations will need to have trust that the sensitive data they share will be given adequate protection. 

FISMA requires that federal agencies develop, document, and implement a security plan to protect the information it receives, stores, and transfers. But as with any large, diverse, and highly distributed organization—even one with all the federal government’s resources—mistakes happen often. In 2019 a U.S. Senate Permanent Subcommittee on Investigations (PSI) report found eight federal agencies failed to provide adequate protection of personally-identifiable information (PII). Among oversights included a lack of encryption and access controls.

The PSI report also found that, since 2011, the Department of Education was “unable to prevent unauthorized outside devices from easily connecting to the agency’s network.  In its 2018 audit, the IG found the agency had managed to restrict unauthorized access to 90 seconds but explained that this was enough time for a malicious actor to ‘launch an attack or gain intermittent access to internal network resources that could lead to exposing the agency’s data.”. And NASA admitted to getting hacked after an unauthorized Raspberry Pi device connected to its IT network and was used as an attack vector point by malicious actors.

The U.S. Army holds an annual five-week event it calls “Hack the Army” that invites ethical hackers to test the Army’s digital defenses and report vulnerabilities. In 2019 there were 52 participants, and when Hack the Army was over, 146 vulnerabilities were found. That’s not a lot for an organization the Army’s size, but since Hack, the Army began in 2016, more than 10,000 vulnerabilities have been found and fixed. By some estimates, the Pentagon is targeted by hackers more than 10 million times per day—announced a similar program earlier this year.

History has shown that no organization is immune to hacking or human error that compromises sensitive information, but some tools can help minimize the risk. One is the technology known as managed file transfer (MFT), used for decades to protect the information in transit when it is most vulnerable.

Like the Coviant Software Diplomat MFT family of managed file transfer platforms, a good MFT platform combines encryption and automation to address two critical aspects of information security. And because documentation is vital to proving you’ve met your obligations under the law, Diplomat MFT supports full auditability. Diplomat MFT is simple to install and use, uses two-factor authentication, is compatible with all primary web services, and is engineered to be turnkey while allowing for just the right amount of customization to ensure your organization’s needs are met.

Best of all, while Diplomat MFT is a full-featured managed file transfer platform, it is also the industry’s best value. We’re confident that Diplomat is the best MFT platform on the market, which is why we’ve made it available to try for free so you can see how easy and effective it is. Download your Diplomat MFT trial today, and we think you’ll agree. 

 


Request your Free Trial

  • To find out what personal data we collect and how it's used, please take a look at our Privacy Policy