After a spate of embarrassing and potentially dangerous incidents within

various civilian government agencies, the Bush administration has

released an official memo stipulating

that all mobile devices (notebooks, smartphones and I would imagine USB

storage) which carry sensitive data must be encrypted.  Remote access

should only be given with two-factor authentication–one of the factors

must be provided by a device separate from the computer gaining access. 

Remote access and mobile devices should time-out after 30 minutes of

inactivity.  The document also dictates that all data extracts from

databases holding sensitive information should be erased within 90 days

unless its use is still required.

It seems hard to believe the statement inside this memo which reads

“Most departments and agencies have these measures already in place”

given the recent incidents which have no doubt prompted the memos issue.

SecurityFocus has a deeper analysis available and the official memo

is found here.