Data Protection in Government: Who is Watching the Watchers?

Watching
Private industry looks to government for guidance on data protection and data management. When a state passes a new privacy law, or when the U.S. government dictates how a person’s healthcare data is to be handled and protected, organizations take action. Lawyers draft the appropriate policies and IT teams put the tools in place to comply. But what about those government agencies? Don’t they have sensitive information that needs protecting, too?

The answer is yes. But just as there are data security laws and regulations for businesses and other organizations, there are also laws that hold local, state, and federal agencies to account for data protection. Citizens, businesses, and government agencies are compelled to share highly sensitive data with governmental organizations and there is an expectation that those agencies will live up to the trust they demand of us. Think about the kinds of information that governments collect, process, store, and move in order to provide public services:

  • Citizen and business tax and financial data
  • Legal files for criminal and civil suits
  • Healthcare data
  • Social Security numbers
  • Telephone numbers
  • Email and physical addresses
  • Birth certificates
  • Marital records
  • Military service records
  • Identification documents (drivers license, passport, military and personal ID)
  • Classified and controlled unclassified military information 

That’s just a small sample of the more common types of information, and at the federal level it is covered under the Federal Information Security Management Act (FISMA), part of the E-Government Act of 2002. The E-Government Act was passed in recognition that, as government services transition more and more to online services and digital transactions, individuals, businesses, and other organizations will need to have trust that the sensitive data they share will be given adequate protection.

FISMA requires that federal agencies develop, document, and implement a security plan to protect information it receives, stores, and transfers. But as with any large, diverse, and highly distributed organization—even one with all the resources of the federal government—mistakes happen… often. In 2019 a U.S. Senate Permanent Subcommittee on Investigations (PSI) report found that eight federal agencies failed to provide adequate protection of personally-identifiable information (PII). Among oversights included a lack of encryption and access controls.

The PSI report also found that, since 2011, the Department of Education was “unable to prevent unauthorized outside devices from easily connecting to the agency’s network.  In its 2018 audit, the IG found the agency had managed to restrict unauthorized access to 90 seconds, but explained that this was enough time for a malicious actor to ‘launch an attack or gain intermittent access to internal network resources that could lead to’ exposing the agency’s data.”. And NASA admitted to getting hacked after an unauthorized Raspberry Pi device connected to its IT network and was used as an attack vector point by malicious actors.

The U.S. Army holds an annual five-week event it calls “Hack the Army” that invites ethical hackers to test the Army’s digital defenses and report vulnerabilities. In 2019 there were 52 participants, and when Hack the Army was over 146 vulnerabilities were found. That’s not a lot for an organization the size of the Army, but since Hack the Army began in 2016 more than 10,000 vulnerabilities have been found and fixed. The Pentagon—which by some estimates is targeted by hackers more than 10 million times per day—announced a similar program earlier this year.

History has shown that no organization is immune to hacking or human error that compromises sensitive information, but there are tools that can help minimize the risk. One is the technology known as managed file transfer (MFT), that has been used for decades to protect information in transit, when it is at its most vulnerable.

A good MFT platform, like Coviant Software Diplomat MFT, combines encryption and automation to address two key aspects of information security. And because documentation is vital to proving you’ve met your obligations under the law, Diplomat MFT supports full auditability. Diplomat MFT is simple to install and use, supports two-factor authentication, is compatible with all major web services, and is engineered to be turnkey, while allowing for just the right amount of customization to ensure your organization’s needs are met.

Best of all, while Diplomat MFT is a full-featured managed file transfer platform, it is also the industry’s best value. We’re confident that Diplomat is the best MFT platform on the market, which is why we’ve made it available to try for free so you can see how easy and effective it is. Download your Diplomat MFT trial today and we think you’ll agree. And as a taxpayer, I’ll thank you next April 15.


Request a demo that fits your needs!