The new policy could also result in a high number of 'false positives' being reported to the DHS, said Doug Howard, chief operating officer at Counterpane Internet Security Inc., a managed security services provider in Mountain View, Calif. Each time someone left a laptop in a car or at an airport security check-in, a report would have to be immediately filed, Howard noted. 'It's just burdensome."

The July 12 memo also requires agencies to provide details on the budget amounts that they're requesting for correcting security weaknesses in 'steady-state system operations' versus funds they're seeking for systems development or modernization projects.

The directive from Evans followed a memo from another OMB official last month that gave agencies 45 days to implement a prescribed set of security controls for protecting sensitive data when it is accessed from remote locations or stored on laptop PCs and other mobile devices.

In another development this week, the House Committee on Veterans' Affairs approved a bill that would elevate the VA's CIO and CISO to higher management levels within the agency. The Veterans Identity and Credit Security Act also would require the VA to provide timely notifications of breaches to Congress and evaluate the idea of using personal identification numbers instead of Social Security numbers to identify veterans.