USDA, HUD race to document IT security

Agencies must document the security of IT systems that support their operations, including:

  • Periodic risk assessments of harm that could result from unauthorized access, modification and disruption of IT systems

  • Policies and procedures that cost-effectively reduce IT risks to an acceptable level and ensure that information security is considered throughout the lifecycle of each system

  • Periodic testing, at least annually, of security policies, procedures and technical controls for every major IT system

  • Action plans to fix vulnerabilities in information security policies, procedures and systems

  • Procedures for detecting, reporting and responding to security incidents.
  • Agriculture CIO Scott Charbo says the department expects to certify and accredit 85 percent of its information systems as secure by the end of September.

    Olivier Douliery

    Agencies at the bottom in OMB report, but predict good grades later this year

    In a recent report card on agencies' compliance with federal IT security requirements, the scores of the Agriculture and Housing and Urban Development departments stuck out like sore thumbs.

    Agriculture had only four percent of its systems certified and accredited as secure by outside authorities, according to the Office of Management and Budget's August report, The Federal Government is Results Oriented.

    And HUD received a zero on the 100 percent scale.

    The scores fell well below the governmentwide average of 70 percent compliance and even further below the goal of 80 percent set out by OMB.

    But both Agriculture and HUD said they are working to meet the requirements and predicted much higher scores when the next report cards come out in November. They have hired contractors to handle the work and expect to have most of their IT systems certified and accredited by the end of the year.

    Officials said the departments' broad scope contributed to their problems. Both Agriculture and HUD have offices scattered across the nation, running a wide variety of systems.

    In the past, Agriculture has been unable even to complete an inventory of its information systems and has lacked the funding to follow through on certification and accreditation, CIO Scott Charbo said.

    The price tag for certification and accreditation, sometimes referred to as C&A, can run up to $150,000 per system. 'That's too much,' he said.

    Agriculture assembled a blanket purchasing agreement for vendors to compete for the work, and the department has arranged its IT systems in groups of about 15 systems.

    'We felt there were economies if we grouped the systems by likeness or by region, which would reduce that contractor's travel time and expenses,' Charbo said.

    The strategy worked. The department accepted bids from 11 vendors, some indeed as high as $150,000 per system, but others as low as $30,000 per system. Agriculture now has more than 400 systems grouped and in the C&A process, he said.

    The department has completed the process for more than 100 systems. Many others have made significant progress, Charbo said.

    Agriculture will be certified and accredited for 50 percent of its systems by the end of August and more than 85 percent by Sept. 30, Charbo said.

    'With the plan we have in place, we're where we want to be,' he said.

    Frugal funds

    A common obstacle has been convincing lawmakers to appropriate money the department needs for security.

    'Whenever we've tried to budget for security activity, it has gotten removed. Most of our line items for IT increases and security have gotten removed by appropriators,' he said, noting that legislators might have felt funds for C&A were contained within other parts of the IT budget.

    Funds for the certification and accreditation process this year came from the fiscal 2004 budget, in addition to some unspent money from 2003.

    Agriculture hasn't been the only agency scrambling to come up with money for the effort.

    In a June report on FISMA compliance, 18 agencies noted difficulties funding certification and accreditation, GAO said. Agencies had to reprogram internal funds to absorb the costs.

    Charbo said he had to convince Agriculture's managers and executives to buy in to his security plan. He also went to the department's chief financial officer and inspector general to get their support.

    Another decision Agriculture faced was how to deal with legacy systems it intended to replace. 'Should I put [funds] into certifying the new investment or should I go back and certify the old ones?' Charbo said.

    Agriculture determined that such legacy systems contained no critical vulnerabilities and declined to spend any resources on C&A for them.

    As the lowest-scoring agency in the government, HUD faces a long road to certification and accreditation.

    A September 2003 report by the department's IG said HUD had made significant progress in securing its systems but failed to certify or accredit any of the 258 applications in its inventory of automated systems.

    A HUD spokesman declined to discuss details of the department's efforts but offered brief answers to questions posed by GCN via e-mail.

    In May, the department hired Innotion Enterprises Inc. of Clarksburg, Md., which does work on other HUD IT initiatives, to complete its security certification.

    HUD said it expects to complete C&A for 33 percent of its systems by Sept. 30 and 100 percent by the end of the year.

    Agriculture and HUD said their IT weaknesses have not jeopardized the departments' or users' data. 'The absence or presence of a C&A doesn't increase one's vulnerability.

    How one uses the information from a C&A effort may increase or decrease one's vulnerability,' the HUD spokesman said.

    Agriculture's Charbo said the C&A process shows what improvements could be made in the way an agency manages or administers a system.

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above