The IT Law Wiki


Office of Management and Budget, Protection of Sensitive Agency Information (OMB Memorandum M-06-16) (June 23, 2006) (full-text).


This Memorandum addresses the protection of federal agency information that is either "accessed remotely or physically transported outside of the agency's secured, physical perimeter." Physical removal includes both removable media as well as media within mobile devices (i.e., laptop hard drive).

This memorandum recommends that four actions be taken by all agencies to protect sensitive agency data: (1) encrypt all data on mobile devices, (2) allow remote access only with 2 separate mechanisms of authentication, (3) use a 30-minute inactivity timeout function for remote access, and (4) log all computer data extracts from databases and ensure data are erased after 90 calendar days unless the data are still needed.

The memorandum also provides a checklist for protecting remote information for agencies to complete within 45 calendar days of the issuance of the memorandum.