Clay Johnson, deputy director of the Office of Management and Budget, issued the new mandates on Wednesday in a memo that also required agencies to develop training programs and breach notification policies.
"Safeguarding personally identifiable information in the possession of government and preventing its breach are essential to ensure that government retains the trust of the American public," Johnson wrote in the memo.
Asking agencies to be proactive, the memo ordered them to store the minimum number of personal records and to devise a plan to end the unnecessary use of Social Security numbers. That plan must be developed within four months and acted on within 18 months thereafter.
The
memo comes almost a year to the day after thieves stole the laptop of a Department of Veterans Affairs employee, which contained the personal information of roughly 26.5 million veterans and current military personnel.
Since then, data exposures have affected a number of federal agencies. Most recently, the Transportation Security Administration announced an external hard drive containing the sensitive data of about 100,000 employees was either lost or stolen.
In April, federal agencies scored an average information security grade of C-minus under the
Federal Information Security Management Act, a slight improvement from the prior year.
Allan Paller, director of research for the SANS Institute, told SCMagazine.com that he applauds the initiative but eliminating the use of personal information is only one piece of the information security puzzle.
He said the federal government should employ the Payment Card Industry (PCI) audit guide when examining the security posture of an agency. Paller said PCI metrics contain more validity and reliability than the
FISMA audit guide when trying to determine how well an agency can defend itself against an attack.
The 22-page memo from OMB also required agencies to institute a data breach-notification policy within four months, using existing
FISMA guidelines and other privacy legislation built on National Institute of Standards and Technology (NIST) standards.
The memo also outlined training requirements for federal employees, including remote workers.