The federal government is not doing enough to secure sensitive information, according to a report issued by the Cyber Security Industry Alliance (CSIA), a lobbying group of security vendors based in Arlington, Va.
In its annual report, the organization is also criticizing Congress for failing to pass a comprehensive data security law in 2006 requiring companies with data breaches to notify victims.
"All organizations that hold sensitive and personal information need to have policies in place that are focused on securing that data and the processes to implement those policies," said Liz Gasster, acting executive director and general counsel of the CSIA.
Gasster said she is optimistic that Congress will pass a data security law this year addressing data security and breach notification. The bill failed in the past over jurisdictional issues between congressional committees, she said. The law should apply equally to the government and the private sector.
Congress also must still choose a standard to enhance data encryption, an area that two congressional committees have failed to come to an agreement on, she said.
Lawmakers are also finding it difficult to determine whether to give more power to state Attorney Generals to have authority to enforce an act.
"We want to have strong enforcement and as many enforcers out there as possible, but on the flip side, it can lead to inconsistent enforcement," Gasster said.
Specifically, the CSIA rated the federal government in three areas:
The federal government was coming off of a year in which a laptop containing the names, Social Security numbers and dates of birth of up to 26.5 million military veterans and some spouses was stolen. Several other agencies reported similar incidents of stolen laptops containing sensitive data.
The top cybersecurity job at the Department of Homeland Security (DHS) also sat vacant for more than a year until Gregory Garcia took the post in the fall.
The CSIA is also calling on the DHS to quickly establish cyber security and telecommunications priorities and address emergency communications during the event of a major information infrastructure attack or disruption. The organization says a system should be implemented to monitor the entire information infrastructure.
"What's key is that it needs to be risk based and based on kind of information that is at issue," Gasster said. "The government has an obligation to implement security practices to secure that information."
Finally, the group said the Federal Information Security Management Act (FISMA) should be strengthened to give governmental CIOs better enforce authority over budgets and personnel resources. The law should also give federal agencies better tools to scrutinize federal contractors to ensure that they comply with FISMA requirements.