By Earl Hicks, Founder and Chief Executive Officer, LegaLock Solutions
uilding a criminal case for trial often takes years and tedious investigation, but for the more than 300,000 federal cases1 being processed yearly there is a little known or understood security mandate covering remote data encryption that can derail a successful case. For local and state law enforcement agencies, there also is a need to know how and why.
The Remote Data Encryption Mandate: The Basics
The President’s Office of Management and Budget (OMB) Memorandum 06-16,2 also known as the Remote Data Encryption Mandate, was put in place in 2006 to better protect the flow of information in and out of government agencies. This mandate was prompted in part by a number of stolen or lost laptops at the Department of Veterans Affairs3 and other agencies, which put at jeopardy sensitive data on millions of individuals.
The premise of the remote data encryption mandate is to protect all information collected and stored on removable media, including laptop computers. A majority of federal operations process information in government offices where security procedures are controlled by system-wide encryption programs, but for many government personnel, including local and state law enforcement, conducting interviews and gathering information in the field there is seldom a network and server-based encryption program in place. If those security protections are not available in the field, the information being processed is at risk. All sensitive but unclassified (SBU) data must be transmitted only by mobile devices that are equipped with encryption standards described in the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2.4
A Rock and a Hard Place: Securing Transcriptions Is Essential
This is where the “between a rock and a hard place” dilemma takes place. In addition to remote investigative work, transcriptions for federal legal and criminal cases have been and continue to be conducted by commercial transcription or deposition service companies that do not adhere to secure encryption standards. Most transcribers process SBU materials on home computers and transmit them unencrypted via the Internet or commercial mail carriers. Alternative solutions, such as bringing contracted transcribers on-site where secure computers and networks are in place, are cumbersome and can decrease the productivity of others in the office who may have to give up office space or technology in the process.
What is the problem? It will take only one case being dismissed due to sensitive testimony or evidence having been compromised to generate headlines that equal the Department of Veteran Affairs–type cases. Law enforcement agencies and personnel work too hard to prosecute for a matter of inconvenience to jeopardize the legal process.
State and Local Agencies: Moving Ahead with Security Requirement
Although state and local law enforcement agencies are only required to meet federal information security and data storage requirements when brought into a federal investigation, they share the same risk of their criminal investigations being jeopardized by mishandled information. To address these concerns, most local jurisdictions have implemented their own information security requirements comparable to those required by their federal counterparts. Examples of state and local information security restrictions include requiring contractors to store department data on a separate dedicated server, using only encrypted computer equipment, and conducting random spot checks of equipment and facilities that house sensitive investigative information.
Agencies should not avoid the issue of addressing information security simply based on the assumption that a large financial budget is required to achieve complete information assurance. While it is true that data protection solutions are not cheap, an even more important first step is to establish an effective information security education program, provided to all employees regardless of their position or status. Once all officers, employees, volunteers, and contractors understand the agency leadership’s commitment to an information security program and know the rules for standard protection practices, an agency can significantly decrease the chance that sensitive investigation case information will be lost or mishandled.
Ensuring Your Agency Is in Compliance
All law enforcement agencies involved in federal investigations need to ask how their agencies use, access, and transmit government data to ensure that those practices comply with OMB 06-16’s encryption mandate and security best practices as outlined in the Federal Information Security Management Act.5 For state and local agencies, that should include, at the minimum, a proactive approach of studying how officers transport sensitive investigative case information outside of department facilities and how those data are shared with contract vendors, such as transcription services.
The federal and local information that is being exposed through noncompliance, although unclassified, is sensitive enough that it could cause serious harm if passed into or obtained by the wrong hands. For the law enforcement community, ensuring the hard-won evidence and testimonies are going to be protected all the way to court is essential. ■
1U.S. District Courts, “Judicial Caseload Profile,” 2008, http://www.uscourts.gov/cgi-bin/cmsd2008.pl (accessed October 21, 2009).
2Clay Johnson III, “Protection of Sensitive Agency Information,” Memorandum 06-16, (President’s Office of Management and Budget, 2006), http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf (accessed October 21, 2009).
3Robert Ellis Smith, “Laptop Hall of Shame,” Forbes.com, September 7, 2006, http://www.forbes.com/2006/09/06/laptops-hall-of-shame-cx_res_0907laptops.html (accessed October 21, 2009).
4Information Technology Laboratory, National Institute of Standards and Technology, Security Requirements for Cryptographic Modules, Federal Information Processing Standards (FIPS) Publication 140-2, May 25, 2001, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf (accessed October 21, 2009).
5Federal Information Security Management Act of 2002, HR 2458, http://csrc.nist.gov/drivers/documents/FISMA-final.pdf (accessed October 21, 2009).