Security report notes progress, despite recurring problems
Agencies made progress in securing their systems last year, but problems persist, the Office of Management and Budget reported last month.
In its second report to Congress under the Government Information Security Reform Act, OMB compared the fiscal 2002 IT security performance of 14 departments and 10 agencies against 2001 baseline data. Future reports will fall under the Federal Information Security Management Act.
Despite across-the-board improvements in eight areas, more than a third of federal systems still have not been assessed for risk and have no up-to-date security plans, OMB said, and fewer than half have been certified and accredited.
The 2001 GISRA report identified five governmentwide weaknesses: lack of performance measures and senior management attention, poor security awareness, failure to include security in IT capital planning, failure to ensure security of contractor services and poor information sharing.
'A year later, progress is clearly evident across these areas,' the new report concluded. But OMB identified five new concerns:
- The same weaknesses recur year after year.
- Inspectors general and CIOs within the same departments have 'vastly different views of the state of security programs.'
- Many agencies plan new IT programs before they have secured existing ones.
- Systems are not evaluated annually.
- Program officials do not take adequate responsibility.
Planning and testing is the weakest area, OMB said. Only about a third of federal IT systems had contingency plans tested within the last year.
Overall performance was best for the first step of the IT security process: identifying systems and assessing risk. About 65 percent of identified systems have been assessed, up from 43 percent last year.
Six agencies'the Education Department, the Environmental Protection Agency, NASA, the National Science Foundation, the Nuclear Regulatory Commission and the Social Security Administration'reported that 100 percent of their systems have been evaluated.Security spending up
The lowest-ranking agencies'the Transportation Department and Office of Personnel Management'had evaluated only 12 percent each.
OMB reported that IT security spending is on the rise, from about $2.7 billion in fiscal 2002 to an estimated $4.7 billion next year. Security spending by agency last year ranged from 1.5 percent of the IT budget at the Federal Emergency Management Agency to 22 percent at the State Department. The average was around 3 or 4 percent.
But OMB cautioned that 'spending is not a statistically significant factor in agency security performance. Rather, the key is effectively incorporating IT security in management actions and early in the life of IT systems.'