Take three steps
- By Thomas R. Temin
- Mar 15, 2002
Thomas R. Temin
Surprise! Rep. Steve Horn's House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations has given agencies an F for computer security [GCN, March 4, Page 9
Similar grades from the California Republican spurred agencies to eventual success on their year 2000 conversion efforts'plus a few billion dollars in supplemental appropriations spread around judiciously.
The committee's scores were derived from reports agencies made to the Office of Management and Budget under the Government Information Security Reform Act. In reading OMB's summary of the reports, you've got to admire the agencies' honesty in answering questions of the 'how-often-do-you-beat-your-wife-and-kids?' sort.
No one actually audited any systems for OMB. What you really have are meta-assessments of agencies' self-examinations. That's not to say the reports are inaccurate or that anyone is obfuscating; you can safely infer that government systems harbor serious and widespread vulnerabilities.
OMB director Mitchell E. Daniels Jr. recently said the Bush administration is so focused on management that it borders on the unnatural'good management presumably having political payoff only at the state and local level. Security is a critical management challenge. The question is, what is there to do about it?
Here's a three-step proposal by which OMB and Congress could take their own advice and lead department secretaries to create performance-based contracts. Forget the details asked about in the GISRA reports and all that old-fashioned nonsense. That's like using two pages of specs to order an ashtray.
Step 1: Make a one-sentence pact with agencies. 'The XYZ Department's computing and communications infrastructure shall be as free from security threats as is technically possible.'
Two: Have the General Services Administration award a contract for a security vendor to try to penetrate each agency's systems and report what happens.
Three: Allocate e-government and IT funds based on the results.