The White House Office of Management and Budget (OMB) is giving US
federal agencies 120 days to develop and implement a security breach notification policy.
Agencies have also been instructed in that time to review their use of personally identifiable information (PII), and to develop plans to reduce or eliminate the unnecessary use of Social Security numbers and other personal data.
The deadlines were set forth in a memorandum sent to the heads of executive departments and agencies last week by Clay Johnson, the OMB's deputy director for management. In the memo, Johnson also outlined several other data loss mitigation measures that he wanted agencies to implement.
The measures included designing strategies for protecting data during remote access, assigning roles and responsibilities for individuals with access to personal data, and implementing policies for corrective actions for failures to follow security guidelines.
The measures are needed to better protect against and respond to security breaches involving private data, Johnson said in his 22-page memo.
"Safeguarding personally identifiable information in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public," he wrote.
The memo directs the agencies to use "a best judgment standard" in developing a breach notification policy and urges them to ensure the "widest possible" distribution of the standards across each agency.
It reiterates several of the existing privacy and security measures that agencies are obligated to fulfill, such as prioritizing their information systems, doing privacy impact analysis and performing continuous monitoring of sensitive systems.
In addition to these requirements, Johnson's memo establishes two new privacy controls and discusses five other security measures that federal agencies need to undertake.