Agencies flunk out on their first security review by OMB

Agencies flunk out on their first security review by OMB

The Office of Management and Budget found across-the-board weaknesses in its first report on the state of federal IT security.

Many agencies 'have significant deficiencies in every important area,' OMB concluded in its Feb. 13 report to Congress, required under the Government Information Security Reform Act.

OMB collected fiscal 2001 data from the 24 major agencies, focusing on management and policy rather than technology. It said program officials'not security officers or CIOs'bear the responsibility for funding and tying security to program goals.

Amid a general failure of accountability, awareness and training, the report identified six common weaknesses:

  • Lack of senior management attention has been a problem for years at every agency reviewed.

  • Some agencies reported virtually no security training.

  • Accountability for job and program performance was inadequate at almost every agency.

  • Although GISRA requires integration of security into capital planning, agencies have not made security part of business processes.

  • Contracting law requires that contractors also take security measures, but 'agency reports reveal ongoing weaknesses,' OMB said.

  • Few agencies do any meaningful testing and monitoring of their systems.

    The House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations used the raw GISRA report numbers in assigning the government an overall F grade for security in November. Sixteen of the 24 agencies got failing grades on the committee's report card.

    OMB did not assign grades, but it dealt even more harshly than the congressional panel with several agencies.

    OMB wants proof

    The National Science Foundation, which received a B+ on the committee's report card, could not back up its claims of no serious security weaknesses, OMB said.

    NASA, which received a C- on the congressional report card, had more mature IT security practices than many other agencies, but the space agency's inspector general 'believes that management is unwilling to recognize the significance of the weaknesses and deal with them in a timely manner,' the OMB report said.

    The NASA IG commented that only half of systems administrators with security responsibilities had received training.

    OMB said agencies will spend about $2.7 billion on IT security this year out of total IT spending of $48 billion. The proposed fiscal 2003 security share is slated to jump sharply to $4.2 billion out of $52 billion total IT spending. Security figures do not include spending on related areas, such as personnel training.

    Agency security spending as a percentage of IT budget ranged from 1 percent at the Agriculture Department to 9.4 percent at the Energy Department. But OMB found no correlation between the percentage and the quality of security.

    'At this point, there is no evidence that poor security is a result of lack of money,' the report concluded.
  • About the Author

    William Jackson is freelance writer and the author of the CyberEye blog.

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above