Federal agencies are not doing enough to protect citizens from identity theft, according to a report by the U.S. Government Accountability Office (GAO), the investigative arm of Congress.

The report, "Information Security: Protecting Personally Identifiable Information," was spurred on by the major security breach at the Department of Veterans Affairs (VA) in 2006, when a laptop containing the names, Social Security numbers and other personal information of millions of veterans was stolen.

Sen. Norm Coleman, R-Minn., and Rep. Susan Davis, D-Calif., requested that GAO identify federal laws already in place and to investigate and describe the state of IT security compliance of 24 federal agencies.

GAO recommendations included encrypting data on mobile computers and other devices that carry agency data, and using a National Institute of Standards and Technology (NIST) checklist to properly categorize any data deemed personally identifiable information that is accessed remotely or physically transported outside the agency.

Only two agencies – Treasury and Transportation – meet all the recommendations for compliance, while two others – Small Business Administration and National Science Foundation – met none, the GAO report said. The other 20 agencies comply to some but not all of the GAO report's recommendations for better security and privacy.

The VA does not yet fully comply with all the GAO recommendations, but is working to improve its security, a VA spokesman told SCMagazineUS.com Tuesday.

"VA is committed to ensuring the personal information of our veterans is secured,” said Matt Smith, a department spokesman. “We are continually enhancing our protections and welcome opportunities to improve."

While John Dasher, director of product management at encryption provider PGP, said he applauds the GAO for highlighting the need for more agency security, he believes the report and subsequent actions fall short.

“There is no real plan behind the report,” he told SCMagazineUS.com Thursday. “It talks about encryption, which is a good thing, but an enforceable policy is necessary. If you put rules in place, you need to take action to make sure people follow those rules.”

A representative from the federal Office of Management and Budget, which has released two memos mandating federal agencies implement data security safeguards and breach notification protocols, did not respond to a request for comment.