GAO balks at OMB's refusal to share data
GAO balks at OMB's refusal to share data
- By William Jackson, Jason Miller
- Mar 17, 2002
OMB's Mark Forman says GAO lacks budget oversight so it can't see the agency security plans.
A minor turf battle has erupted over agencies' initial efforts to comply with the Government Information Security Reform Act.
The General Accounting Office, an arm of Congress, called the first GISRA results a 'significant step' forward. But serious security weaknesses remain, GAO said, and the Office of Management and Budget is restricting its access to data needed for effective congressional oversight.
The act makes OMB responsible for reporting to Congress on the state of IT security. Last month, in its first report, OMB identified pervasive weaknesses in the fiscal 2001 GISRA reports from 24 major agencies [GCN, March 4, Page 9
Missing from the report were any plans for fixing the weaknesses, GAO complained.
'The lack of such important information limits oversight,' Robert F. Dacey, GAO's director of information security issues, told a House panel this month. 'With the president requesting $4.2 billion for information security funding for fiscal 2003, congressional oversight of future spending' is essential to keep agencies from using the funds 'to continue ad hoc, piecemeal security fixes.'
But OMB said the plans are part of the budget-making process and cannot be released to Congress.
'There is absolutely no way GAO could look at them and not get into the budget decisions,' said Mark Forman, OMB's associate director for IT and e-government. GAO's lack of budget oversight 'is an issue OMB cannot address.'
Forman said GAO should focus on the security levels rather than on reviewing corrective plans.
'You know the saying about the best-laid plans,' he said. 'The issue is who is achieving the results, and we all need to focus on results.'
Dacey also protested that the CIA director would not provide information about IT systems critical to national security.
'We acknowledge the sensitivity of this information,' Dacey said, but added the lack of high-level summary information limits congressional oversight.
GAO reviewed GISRA implementation at the request of the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations.
GISRA requires agencies to conduct risk assessments of critical systems; create, implement and test security policies; and make security a part of overall business processes. The law will expire Nov. 29, but legislation recently introduced in the House would make it permanent.
Dacey said agencies benefited from their first-year reports by focusing more management attention on information security.
But both OMB and GAO found that implementation was incomplete. Only 18 percent of agency systems had been fully assessed and secured, and few agencies had adequate security policies or training.
Dacey said agencies need more specific guidance, plus adequate staff and budget resources, to meet GISRA requirements.
According to the GISRA reports, agency spending on security ranged from 1 percent of IT budgets up to 17 percent, but OMB said it found no correlation between the amount spent and the quality of security.
Dacey, however, said many agencies 'noted that funding limitations had directly affected their ability to implement existing security requirements.' Also, he said, GISRA requirements put an extra burden on inspectors general, who need more resources.Money needed
Forman acknowledged that some fixes would require more money. 'That is why we're asking for $4.2 billion' for next year, up from $2.7 billion this year, he said. 'But none of the six problem areas we identified were associated with putting more money in. It's making sure that security is the focus of management.'
Rep. Tom Davis (R-Va.), chairman of the House Government Reform Subcommittee on Technology and Procurement Policy, introduced HR 3844, the Federal Information Security Management Act, to permanently reauthorize GISRA.
The bill would require agencies to use security best practices and let OMB mandate standards developed by the National Institute of Standards and Technology.
William Jackson is freelance writer and the author of the CyberEye blog.