CIO Council releases security self-checker

CIO Council releases security self-checker

Federal IT Assessment Framework establishes protection levels and will help agencies see how they stack up


The Chief Information Officers Council has released the first version of a self-help tool for assessing the state of security in information systems of all sizes.

The Federal Information Technology Assessment Framework defines five levels of security for information assets, which can include applications, computer systems, networks or groups of systems. The framework's ascending scale measures whether controls are documented, implemented, tested and incorporated into a cyclical review program.

James Flyzik, vice chairman of the CIO Council and the Treasury Department's CIO, described the framework as 'a start to improving security programs across government.'

Survey to come

A complementary questionnaire, expected early this year, will help agencies determine where their systems stand in the framework.

The framework is a starting point for improving security across government.
'Treasury Cio James Flyzik

The Computer Security Division of the National Institute of Standards and Technology's Systems and Network Security Group is still at work on the questionnaire.

'The questionnaire is where the details come in,' said Marianne Swanson, a computer specialist in the Computer Security Division.
The framework came in response to the Information Security Reform Act, part of the Defense Authorization Act that requires annual reviews of agency security. The CIO Council began work on the framework in late 1999, in cooperation with the Office of Management and Budget, the General Accounting Office and NIST.

Swanson said it was a collaborative effort, but NIST took a stab at the first draft. Two preliminary versions went out to agencies and industry for comment before publication last month.

'Ultimately, it was NIST that collected the comments and did the rewriting,' Swanson said.
The criteria grew out of existing federal guidelines, including NIST's IT security publications and Presidential Decision Directive 63, which mandates protection of the nation's critical infrastructure.

Each level has specific conditions:

' Level 1: Security policies have been documented with provisions for periodic reassessment and assignment of authority.

' Level 2: Procedures have been documented for implementing the policies, and security responsibilities are clearly defined.

' Level 3: Procedures and controls have been implemented, and specific procedures have been communicated to those responsible for carrying them out.

' Level 4: Procedures and controls are routinely re-evaluated, and the agency takes corrective action when weaknesses are found.

' Level 5: Procedures and controls have become integral to the agency's culture to the point that decisions hinge on cost, risk and mission impact of security issues.

'Agencies should seek to bring all assets to Level 4 and ultimately to Level 5,' the authors of the framework said.

Before determining a security level, the agency or owner of an asset must determine how sensitive the asset is and what level of risk is acceptable.
Agencies must evaluate the security not only of individual assets, but also of systems to which they connect and on which they depend.

One for all

'I envision a single questionnaire that could be applied across the board' to many kinds of systems and applications, Swanson said.

A document that comprehensive and flexible is difficult to design, she said, but like the framework, much of it comes out of existing documents and guidelines.

There was some debate about releasing the framework before the questionnaire was ready, Swanson said.

'The majority of the agencies said to 'issue it, we can use it' ' to produce a thumbnail sketch of security, she said.

The IT Security Assessment Framework is available online at the CIO Council's Web site, at

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.