Interior wants OMB to referee dispute over its IT security
- By Mary Mosquera
- Nov 23, 2005
Interior secretary Gale Norton disagrees with her department's inspector general that the department does not meet federal security requirements and has asked the Office of Management and Budget to clarify its interpretation of those requirements.
Interior certified and accredited more than 98 percent of its systems in fiscal 2005 to comply with the Federal Information Security Management Act. During the year, Interior also made progress in consolidating 13 networks into a single departmental enterprise services network, with strong network perimeter security controls. The three remaining bureau networks are undergoing consolidation now, she said in a letter to OMB director Joshua Bolten last month.
'While IT security is not perfect, risks and vulnerabilities still remain, and improvements need to be made, the policies and processes to address those risks are adequate, improvements have been and will continue to be made, and therefore, DOI substantially complies with FISMA,' Norton said in the letter.
OMB could not comment on Interior's request, an OMB spokesman said.
'We continue to work with every agency to improve security. We are currently completing our analysis for the FISMA report to be released in March,' OMB spokesman Alex Conant said.
Norton said some of the reporting criteria on risk management were ambiguous, leading to subjective judgment and individual perspectives.
The quality of Interior's certification and accreditation process is, at a minimum, satisfactory, said Interior CIO Hord Tipton in a redacted version of his FISMA evaluation.
Tipton's office also worked under the burden of producing 4.5 million pages of documentation related to the long-running Cobell v. Norton lawsuit, which has forced Interior to cut off some of its systems from the Internet. The plaintiffs claim that Interior's IT security
is weak and that hackers can easily penetrate the Individual Indian Trust financial records.
'The CIO believes the IG's responses to several of the questions in the FY 2005 reporting template exceed the basic requirements of FISMA and do not take into account improvements made during the year in response to the testing the IG conducted,' Norton said.
Despite progress, Interior IG Earl Devaney said the department has significant weaknesses in its network security, plans for corrective actions and milestones, and certification and accreditation.
The IG's penetration testing demonstrated that Interior's network infrastructure was vulnerable to unauthorized access from internal and external threats.
'(It) allowed us to compromise some of DOI's most sensitive information,' Devaney said in the public version of his evaluation.
Devaney rated Interior's certification and accreditation program as poor. Overall, Interior lacks an effective departmentwide strategy to implement and oversee its various policies and procedures, he said.
Mary Mosquera is a reporter for Federal Computer Week.