Data-at-Rest Is Not A New Requirement at NASA
Data-at-Rest (DAR) at NASA HQ
“This page contains important information for employees regarding the Data-at-Rest (DAR) Encryption project at Headquarters. As mandated by Federal law and Agency policy, all NASA-issued laptops must have Data-At-Rest (DAR) whole-disk encryption software. The NASA OCIO has directed that all Centers complete this activity by December 21, 2012. Per the Agency directive dated November 13, 2012, no NASA-issued laptops containing sensitive information may be removed from a NASA facility unless DAR encryption software is enabled OR any sensitive files are individually encrypted (using Entrust PKI).”
Recommendation to Fund and Deploy Agency Data-at-Rest (DAR) Solution, NASA CIO, 21 Feburary 2008
“Based on an evaluation of NASA’s requirements for encryption of data at rest and of the solutions currently available, I recommend that your office fund the implementation and deployment of an integrated, interoperable NASA DAR solution in the amount of $2.0M for Fiscal Year 2008. Details of the recommended solution, based on McAfee’s Safeboot product suite, and the evaluation that produced this recommendation are in the attached presentation.”
Keith’s note: Looks like there was direction executed within the CIO in early 2008 – before the current CIO even arrived on the job. Four years later and NASA is only getting around to taking its own decisions seriously. Note: there is no date on this PDF file but it was created on 21 Feb 2008.
Entrust PKI is no picnic, but makes more sense than DAR. Since most of these laptops are shared there is no way to keep track of the DAR passwords unless they are written on something kept with the computer. Of course that would be a violation, but there is no practical way to actually follow the rules, something that never seems to bother IT.
Why can’t they set up multiple user accounts? That’s bad system design if you have to share passwords.
” Since most of these laptops are shared”
No, they are not.
CIO page has a foretelling event on page 6.
http://www.nasa.gov/pdf/666…
Linda and her staff are fearful of losing a laptop with 10,000 names. Opps.
Ouch. Good find. Check the top post on NASA Watch. They were smart enough to anticipate such and event but were utterly incapable of preventing it.
I think we have a winner for the 2012 Nostra-dumb-ass award.
It looks like we are going with the tried and true bureaucratic method of inconveniencing everybody big time with a bunch of arcane encryption requirements rather than looking for and punishing the bad actors. Loss of productivity by innocent people now having to implement this garbage is not a factor. Just do it and don’t ask questions. And, by the way, according to some hand-wringing managers, everything we do is “sensitive”.
From the POV of an outsider–mine– this just looks silly. Why does NASA need another freaking acronym and funded program for this? My mac has native encryption. Doesn’t Windows, too? So how about a memo: Everyone! Got sensitive data? Encrypt your laptops!?
I am missing something here.
No you are not missing anything. You live and work in the real world. NASA does not – they always think that their problems are unique or too hard to handle – so they do nothing until the worst scenario unfolds – and then they run around waving their arms.
unfortunately, when the ACES contract came into being, and HP laptops replaced Dell ones, the TPM (trusted platform module) required to run windows bitlocker (software builtin and FREE) was not a part of the baseline configuration. For a part that cost pennies when purchased in bulk, HP chimped out and gave a laptop that is below those available to end users from any electronics retailer. I run bitlocker on my home laptop…. inexcusable for NASA not to have this option as a baseline requirement. would have saved a whole lot of trouble!
Actually NASA wrote part of an NPR that said exactly that (NPR 1382.1 Ch2)
“2.2.1 Any PII on mobile computers/devices shall, at a minimum, be encrypted by users with Entrust or native encryption in Microsoft and Apple operating systems or any other NASA CIO-approved encryption solution.”