OMB releases a report on federal IT security

OMB releases a report on federal IT security

The Office of Management and Budget found across-the-board weaknesses in its first evaluation of federal information security for the past fiscal year.

"Many agencies have significant deficiencies in every important area of security," OMB concluded in its report to Congress released Feb. 13.

This is the first report required under the Government Information Security Reform Act and is based on data submitted by 24 major agencies for fiscal 2001. Individual agencies were not singled out for poor performance, but OMB found a general lack of accountability, awareness and training for IT security.

The GISRA reports also were used by the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, which issued a failing report card on security in November. Sixteen of 24 agencies received failing grades. The National Science Foundation received the highest grade, a B+.

OMB did not assign grades or rate agencies, but evaluated performance in 13 areas. It identified six areas of common weakness:

  • Senior management attention: OMB has identified lack of management attention as a problem in every agency for six years.

  • Security education and awareness: "This is the opposing bookend to senior management attention," OMB found. Some agencies report virtually no security training.

  • Measuring performance: OMB found inadequate accountability for job and program performance in IT security at almost every agency.

  • Funding and integrating security into capital planning and investment control: OMB requires this, but agencies have not effectively made security part of the business process.

  • Ensuring that contractor services are adequately secure: This is required by contracting law, but "agency reports reveal ongoing weaknesses."

  • Detecting, reporting and sharing information on vulnerabilities: Early warning begins at the agency rather than at incident response centers, but few agencies have any meaningful system of system testing and monitoring, OMB found.

  • OMB reported agencies will spend about $2.7 billion on IT security in fiscal 2002 out of total IT spending of $48 billion. That figure is expected to increase to $4.2 billion for security out of $52 billion for IT in fiscal 2003. Agency spending for security as a percentage of the IT budget ranges from 1 percent at the Agriculture Department to 9.4 percent at the Energy Department. But OMB found no correlation between the percentage of spending on security and quality.

    "At this point, there is no evidence that poor security is a result of lack of money," the report concluded.

    About the Author

    William Jackson is a Maryland-based freelance writer.

    Stay Connected

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.