How's that for a deadline?

"The Bush Administration is giving federal civilian agencies just 45 days to comply with new recommendations for laptop encryption and two-factor authentication." - http://www.securityfocus.com/brief/239

45 days. Man, I hope they've already started, because 45 days to analyse the field, pick a vendor, test proof of concept, agree on licences, buy the software, deploy a pilot, train staff, and roll out to everyone without making day one into a mass "hey, guys, I forgot my password, can you decrypt me?" phone-tag game - wow, that's tight.

Like I say, I hope they've already started - and quite frankly, I already hoped they'd already started, because to not do so... that's crazy.

Of course, the other tack to take - at the same time, I hope, is to stop storing the damn data on the portable devices. Wherever possible, those laptops (and other portable data storage devices, let's not forget thumb drives) need to have nothing more damning on them than a copy of Windows (or, I don't know, Fisher Price's "My Little Sony", whatever you other people use), and the VPN client to connect back to the home base. Sure, sometimes, you have to carry data around with you, but good luck getting approval to do so, or avoiding a tongue-lashing if you're found to have that data on your laptop without significant reason to do so.

Published Wed, Jun 28 2006 21:41 by Alun Jones
Filed under:

Comments

# re: How's that for a deadline?

Gee Alun, you've been in the US to understand the government procurement cycle, haven't you?  They'll pick the vendor with the cheapest bid, who will take twice as long to implement, may not be successful and will cost twice as much as the highest bid in the long run.  Oh, and once the project is complete somebody new will come along and scrap the whole thing for a better idea.  Thank goodness I don't work in the public sector, I have too much common sense for that!

Thursday, June 29, 2006 1:20 PM by Terry Constable

# re: How's that for a deadline?

If they have any sense, the project managers will say "that's too short a schedule for us, so starting August 1, all laptops must be returned to offices, and will not be allowed to be used until the encryption scheme is in process".
Sadly, they'll simply pick a product at random, push it out, and deal with everyone calling the help-desk at once because they've forgotten (or never had) the password.  Help-desk will then abandon (if they were ever told) any verification policies, and you'll be able to pick up a laptop from a government department, call the number printed on the label on the underside of the laptop, and ask for the unlock password, which they'll give to you.

Thursday, June 29, 2006 1:45 PM by Alun Jones

# Laptop encryption notes...

More laptop encryption news:
"A U.S. government computer loaded with approximately 133,000 drivers'...

Wednesday, August 09, 2006 7:07 PM by Tales from the Crypto

Leave a Comment

(required) 
(required) 
(optional)
(required) 
If you can't read this number refresh your screen
Enter the numbers above: