Update – 3/3 I managed to find the relevant GAO report. It turns out that I was mistaken to assume that the report was released within a few days of the news report. The GAO document was released in late January. However, the relevant agencies are only listed in the report. They are not singled out.

Original Post

When a issue involving science and technology policy – if only slightly – makes the local news in DC, my ears perk up (sometimes even literally). Last weekend there was a local news report about government agencies’ general failure to implement Office of Management and Budget recommended procedures for protecting the data they keep. The Washington Post and other news providers picked up the story.

(For the record, this is one of many things I keep an eye on for my day job. If I could confirm what’s alleged below, I’d probably blog about it for the job, but it’s worth posting here for a couple of reasons.)

First, while most of the 24 agencies surveyed did poorly, only two failed to implement any of the recommended policies for securing information: the Small Business Administration and the National Science Foundation. I’m not raising a hue and cry on this point right now because I’ve run into a block – I can’t find the underlying documentation from the Government Accountability Office confirming the scorecard referenced in the report. So if there are readers that can speak to the source of the claims by GAO that the NSF failed to implement any of the recommendations, I’d love to see it.

Additionally, it’s quite possible that the problem has been addressed. The NSF Chief Information Officer, George Strawn, is quoted by the Post as saying “contrary to the GAO report, his agency has implemented all or part of all five measures.”

Of course, the problem with the scorecard demonstrates how ill-prepared most agencies are to protect the information they keep. I do not single out the government here, the rash of data breaches over the last few years has hit the private sector as hard as the public sector.

What’s annoying is that the recent GAO testimony on information security doesn’t have this information (or I’m looking in the wrong place), and the NSF website has absolutely nothing on this report (and I am looking in the right places there). It may have been several years since NSF has had to deal with negative publicity (or wanted to try), but the way to do it is not by keeping silent. It appears that the public face of the agency – on the website anyway – is all about the results of research funding. Personally, some publicity about how well the agency operates would go a long way to reminding people that not only does NSF fund good work, but also that it does a good job administering the operation. We – the science, science policy and science advocacy communities – may accept without question that science is done right and above board. But the public doesn’t know us, and frequent reminders are common courtesy and good government.