The U.S. Securities and Exchange Commission needs improvement in internal cybersecurity controls and accounting procedures, according to a recent GAO report. A significant portion of the 45-page document focused on information security deficiencies.

In the agency's 2009 annual financial statement audit, the GAO identified seven weaknesses in information security controls. According to the report, SEC did not adequately:

• Segregate computer-related duties and functions,
• Restrict user privileges,
• Implement patches and current software versions,
• Use approved, secure means to transmit data,
• Implement configuration management, and
• Complete a certification and accreditation of its general ledger system and supporting processes during the fiscal year.

Prior SEC audits from 2005, 2007, 2008 and 2009 identified 43 security weaknesses in information system controls. At the time of the March 16 report 22 of those corrective actions remained unresolved. Authorization proves to be an especially challenging category for the SEC--only one of the five recommendations has been successfully completed in that area. Configuration management, especially in the area of patches and upgrades, also needs attention with 10 out of 13 corrective actions unresolved for the category.

For more:
- read the GAO report (.pdf)

Related Articles:
GAO: Bureau of Public Debt must address information security
IRS cybersecurity weak
GAO: DoD loses track of 72,000 combat records
GAO: Cybersecurity flaws at Los Alamos lab

In a case of technology outpacing expectations of privacy, White House deputy CTO and former Google lobbyist Andrew McLaughlin found his Google Buzz messages posted publicly online and now a watchdog wants his emails between him and his former employer.

After political gadfly website Big Government posted screenshots of McLaughlin's Buzz messages, the nonprofit Consumer Watchdog filed April 1 a FOIA request for copies of email correspondence between McLaughlin and Google.

"The appointment was troubling when it was announced, but signs that McLaughlin is continuing a cozy relationship with his former employer while serving in the top White House Internet policy job are even more disconcerting," said John M. Simpson, consumer advocate for Consumer Watchdog, in a press release.

"The public has a right to see exactly what sort of messages have been exchanged with his former employer and colleagues," Simpson added.

Online reaction to evidence of McLaughlin's ongoing communication with Google employees is mixed.

Big Government insinuated dark things. "What are they communicating privately about? Perhaps 'shaping policy that affects Google's rivals'?" states a post by an author called "Capitol Confidential."

The Register, unsurprisingly, cackled over the irony of a former Google executive having his privacy undermined by a Google product, especially in light of Google CEO' Eric Schmidt's recent comment that "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

eWeek Google Watch blogger Clint Boulton dismissed McLaughlin's Buzz posts as inconsequential. "Google isn't getting special treatment from the Obama administration. If anything, it's getting quietly railed," he wrote.

For more:
- see the Big Government blog post on McLaughlin's Google Buzz messages
- read the Consumer Watchdog press release, and its FOIA request (.pdf)
- here's The Register's blog post and the Google Watch blog post

Related Articles:
Reform the Electronic Communications Privacy Act, says new coalition
DHS: Einstein security system won't read emails

Agency open government plans will be unveiled this week.

In a Dec 8, 2009 memo, Office of Management and Budget director Peter Orszag directed agencies to prepare and post online, by April 7, plans on how they will be more transparent, open to public participation and collaborative with other official and non-official entities, as well as the public. It also requires agencies to identify at least one "flagship initiative" and includes an exhortation to
respond to public feedback on a regular basis.

Already many agencies have created "open government" websites, findable by adding "/open" to the end of their .gov URL.

The Agriculture Department already has posted an online draft of its report, which proposes two flagship initiatives. It will enhance the collaborative development of the New Forest Planning Rule by expanding "the use of the latest technologies and build[ing] on the collaborative rules already in place," the report states.

It also highlights an multi-phased online contest called Innovations for Health. Future contests will include a challenge to produce a motivating public service announcement and creating healthful recipes for use in schools.

Other transparency efforts due to be unveiled this week include an OMB ban on cookies on federal websites, online rule-making guidelines and new guidance for agencies to report details on subawards to USAspending.gov, Nextgov reports. OMB Chief Information Officer Vivek Kundra recently came under criticism from Senator Tom Coburn (R-Okla.) for failing to make that data available.

For more:
- check out the draft USDA open government plan (.pdf)
- read the OMB's open government directive
- see this Nextgov story

Related Articles:
Court: DCMA wanted to be too open with FOIA 
Coburn: Federal transparency efforts fall short 
Federal CIOs aren't sure Obama administration IT goals add value 
Data.gov not living up to expectations

Adoption of the National Information Exchange Model in order to facilitate data sharing among incompatible health information technology systems is not a CIA plot, said David Blumenthal, the national coordinator for health information technology.

Blumenthal spoke during a nearly five hour Health and Human Services Department health information technology standards committee meeting on March 24. In a recording of the meeting--at the 03:13 mark and after a discussion of the best ways to achieve interoperable data--Blumenthal said he wanted to "clarify" something.

Rumors in the blogosphere, he said, have been circulating that NIEM and the health community's adoption of it "is some kind of Trojan Horse for government control over health information."

"That is, because it is a government-developed mechanism for generating standards and implementation specifications, might it make it easier for health information to be transmitted, or might it make it investable that it is transmittable to the Department of Justice, Department of Homeland Security, the CIA, the NSA, I don't know where else," he said, to some audible giggling.

"Um, yes," he added, "and the answer to that question is absolutely ‘No'. I just want to say that for the record: Absolutely no."

The HHS already uses NIEM to support child and family services, said Doug Fridsma, acting head of the Office of Standards and Interoperability at the Office of the National Coordinator, earlier in the meeting.

NIEM is itself not a health information technology data standard, Fridsma explained. Rather, it is an effort to harmonize existing and different standards, he said.

NIEM started as a Justice Department effort but is now managed by DHS. It uses XML schemas to standardize core data components for exchange and allows other communities of interest to create mutually-intelligible data components specific to their communities.

Some meeting participants criticized NIEM. "NIEM is many things, few would accuse it of being a model, despite the name," said one attendee. "The semantic specification is under-specified, but I think that's fixable. But [what] seems less clear is how we address the cross use-case harmonization, and I don't think merely articulating that there is a harmonization process is sufficient," he said.

NIEM has long been criticized even as 48 out of 50 states have adopted it and its use has grown in unexpected ways.

"XML is a favorite but is attacked continuously in relation to weak data modeling support, weak encoding of binary objects, performance issues, and many more. Remember, the roar of legacy systems has a long tail," wrote NIEM founder Michael Daconta, in 2008.

For more:
- listen to an audio recording of the March 24 meeting of the HHS HIT standard committee. The NIEM discussion begins at about 02:29; Blumenthal makes his remarks starting at 03:13.
- see the agenda and presentation associated with the meeting
- read the opinions gathered by Nextgov on whether NIEM is a plot, including one from Twila Brase, who says it could be.

Related Articles:
NIEM poised for growth
Editor's Corner: NIEM is a model IT project

Justice Department inspector general auditors found Limewire, a peer-to-peer download client, on a government owned laptop.

Auditors were testing laptops from the DOJ's criminal division to see whether they were encrypted in accordance with departmental full disk encryption policies when they found Limewire downloaded onto an International Criminal Investigative Training Assistance Program (ICITAP) laptop.

The U.S. Attorney's Office successfully prosecuted a Seattle man in 2007 for using Limewire to search the hard drives of other Limewire users for information in order to commit identity theft. Limewire is a client for the Gnutella file sharing network, though it also supports torrent. It has a reputation for transmitting malware.

ICITAP officials recalled the 10 laptops, including the Limewire laptop, it had loaned auditors and re-imaged them, the inspector general report states. The audit was performed from July through December 2009.

As for whether Criminal Division laptops were encrypted, the report found that of the 40 Justice laptops it tested, 10 were not, and nine of those 10 didn't have Windows password protection, either.

All 10 laptops came from ICITAP, and contained information such as reports on development programs in Iraq and Pakistan. The criminal division only allows "sensitive but unclassified" information onto laptops. Departmental policy is to consider all information as "sensitive" unless designated otherwise.

Justice department contractors were likewise lax in their full disk encryption, auditors found. Seven of the nine tested contractors on Offices, Boards and Divisions (OBD 47) contracts, which are used for paying expert witnesses or litigation consultants, lacked encryption on their laptops. Companies performing work under the Justice "Mega 3" indefinite-delivery, indefinite-quantity contract have a waiver from encryption requirements, but they were nonetheless "not securing data in accord with DOJ requirements," auditors wrote.

For more:
- check out DOJ IG audit 10-23 (.pdf)
- see this March 17, 2008 U.S. Attorney, Western District of Washington press release announcing the 51-month prison term of Seattle man Gregory Kopiloff for mail fraud, accessing a protected computer without authorization and identity theft.
- read this Federal Computer Week story on the audit

Related Articles:
FTC: Data breaches linked to P2P services 
Bill would ban feds from P2P networks

The National Association of State CIOs is encouraging state IT shops to allow employees to use personal smartphones for work. A recent research report from the association surveyed 36 states about their smartphone policies and security measures. Currently, 14 states allow employees to use personal smartphones, 10 states ban their use and six states said the rule varies from agency to agency. Article

> Pres. Gerald Ford secretly authorized warrantless domestic wiretaps. Article
> Security changes at the Pentagon. Article
> Hackers like running covert IPv6 channels. Blog post
> DOJ sues KBR for Army logistics work. Press release
> DHS live terrorist response exercises overly scripted? Article

And Finally... Remember CD-ROMS? The iPad is version 2.0. Blog post