NTSB laptops lack security features: GAO

Nearly half the 383 laptop PCs at the National Transportation Safety Board do not have the required encryption needed to protect data, according to a new report from the Government Accountability Office.

While GAO said the agency was implementing cybersecurity protections to some degree, it discovered new weaknesses in the form of unencrypted PCs and excessively broad user access controls.

The lack of encryption on 184 agency laptops puts them at greater risk of unauthorized access, GAO said. An additional 199 laptops have the protections.

In their defense, NTSB officials said that the hardware on the 184 laptops is not compatible with NTSB's encryption application. To help reduce risk, the unencrypted laptops must remain in the headquarters building at all times and may not be taken home by employees.

Despite those rules, the data remains vulnerable to cyberthreats, GAO said.

"Until NTSB encrypts data on its laptops, agency data will remain at increased risk of unauthorized access and unauthorized disclosure," GAO said.

Overall, the agency has work to do to correct weaknesses in securing its information systems against hackers and other threats, GAO said. The federal agency has a budget of $85 million and a staff of 400. NTSB investigates all civil aviation accidents as well as other major transportation-related incidents.

While NTSB has made progress on cybersecurity, it still is not fully compliant with federal requirements for information security, access controls and data privacy, the GAO report said.

Nonetheless, NTSB has made "significant progress" in addressing the 113 vulnerabilities identified in fiscal 2007 under the Federal Information Security Management Act, the report said.

Cybersecurity and information security are active areas for federal contractors. Many federal agencies hire outside help to implement and maintain information security controls.