Online extra: OMB makes IT security a priority
- By Jason Miller
- Feb 06, 2004
Despite relentless pressure from the Office of Management and Budget and lawmakers to improve IT security, agencies still can't protect all their systems.
In the fiscal 2005 budget request, the Bush administration noted that security shortcomings could be found in many of the 621 IT business cases, accounting for $22 billion in systems investments, that OMB included on its management watch list.
OMB said 61 percent of federal systems' security had been certified and accredited by December, up 14 percent from the previous year. But agencies, by law, were supposed to have all systems certified by inspectors general or third parties by that time.
Nonetheless, OMB senior policy analyst Kamela White said agencies are moving in the right direction.
President Bush's budget proposal said OMB would continue to push agencies to improve IT security. The administration expects agencies to meet three mandates by December:
- All agencies must create a central remediation process to ensure that program- and system-level security weaknesses are corrected. Each agency's inspector general must verify the remediation process.
- IGs or third-party organizations must certify as secure at least 80 percent of all federal systems. OMB had hoped to accomplish this goal by December, but so far only 61 percent have been certified.
- Agencies must integrate security expenditures into each program's lifecycle costs. As of last year, about 75 percent of projects had done this, OMB said.
Lawmakers will also be keeping a close eye on these efforts.
Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, will hold a hearing in the spring on programs that fail to take the Federal Information Security Management Act into account. Davis, who authored the IT security bill last year, said agencies too often neglect its mandates and guidelines.
Rep. Adam Putnam (R-Fla.), chairman of the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, meanwhile has sent a letter to agency heads requesting meetings with CIOs to discuss IT security plans.
Putnam's staff already has met with six CIOs and will meet with the CIO Council next month to discuss IT security plans, milestones and his subcommittee's expectations. His staff also will meet with members of the Appropriations Committee staff to discuss the importance of funding IT security.
Agencies asked for more than $122 million for security efforts. The figure does not include investments planned by the Commerce and Defense departments. OMB said funding information for the two departments will be available next month.
To help agencies meet the FISMA certification requirement, OMB is completing recommendations on how to implement FISMA. White said the document should be out within six weeks.
The guide will help align efforts governmentwide, she said.
'We see some common problems between the agency and IG reports' that FISMA mandates all agencies submit to OMB, White said. 'They define terms differently, for instance.'