No Security? No money, says OMB
- By Gail Repsher Emery
- Feb 19, 2004
Rep. Adam Putnam, R-Fla., chairman of a House Government Reform subcommittee that tracks government IT, publishes a quarterly report card that rates 24 agencies' cybersecurity. Putnam's most recent scorecard, issued in December, gave the agencies an overall grade of D.
"Agencies need to secure what they have," not layer new projects on top of vulnerable IT infrastructures. -- Karen Evans, administrator for IT and e-government in the Office of Management and Budget.
The White House has identified 18 agencies that will not receive funding to upgrade their information technology systems until they fix security problems.
"Agencies need to secure what they have," not layer new projects on top of vulnerable IT infrastructures, said Karen Evans, administrator for IT and e-government in the Office of Management and Budget.
Evans, who announced the new policy at a briefing outlining the administration's $59.8 billion IT budget request for fiscal 2005, said agencies would not be allowed to develop, modernize or enhance their IT systems until their cybersecurity problems are fixed.
Among the agencies directed to correct security deficiencies were the departments of Homeland Security, Interior, Justice, Labor, State and Transportation.
OMB's directive "creates more opportunity for our cybersecurity business, and maybe it delays some opportunities for our integration business," said Al Picarelli, a senior vice president at Booz Allen Hamilton Inc. in McLean, Va. "For firms that were counting on building a new application, it could delay their revenue for a certain period of time. It could have a big impact on some agencies and their vendors."
[IMGCAP(2)]Evans said the 18 agencies plan to spend $8.5 billion in 2004 on system development, modernization and enhancement, and have requested $8.1 billion for 2005 for those efforts. These figures do not include funds for general systems operation and maintenance, she said.
The 18 agencies will be directed to use this money first to improve their cybersecurity, Evans said. The new funds would supplement the $1.4 billion the agencies already plan to spend on IT security in 2004, and the $1.5 billion they have requested for 2005.
Eight agencies -- the Commerce, Defense and Energy departments, Environmental Protection Agency, NASA, National Science Foundation, Nuclear Regulatory Commission and Office of Personnel Management -- are exempt from this requirement because OMB determined that they have good security programs, Evans said.
OMB's action "is a shot across the bow of chief information officers and department heads. OMB is saying they are spending a lot on development and not enough on existing infrastructure," said Gene Hunt, senior vice president enterprise security solutions at San Diego-based Science Applications International Corp.
The shift in funds "may delay future programs by a little, but they will be implemented in a foundation that is more secure. On the security side, there could be more opportunities for us," Hunt said.
When agencies demonstrate cybersecurity improvements, they will be allowed to move forward with new work, Evans said.
"If it only takes $1 million to remediate their IT security problems ... then the rest of the money is allowed for them to go forward with their development and modernization efforts," Evans said.
OMB's action shows that it is elevating the importance of IT security among the agencies, said Bob Dix, staff director for the House Government Reform subcommittee on technology, information policy, intergovernmental relations and the census. Subcommittee Chairman Rep. Adam Putnam, R-Fla., puts out a quarterly report card that rates 24 agencies' cybersecurity. Putnam's most recent scorecard, issued in December, gave the agencies an overall grade of D.
Agencies that did not score well had problems that include incomplete inventories of critical IT assets, weak incident identification and reporting procedures, weak controls over contractors and inadequate plans for finding and eliminating security problems.
The scorecard results show that cybersecurity is not a high enough priority in many agencies, Dix said, even though the Federal Information Security Management Act requires annual IT security reviews, reports and remediation.
"Clearly, the outcome of the report card demonstrates that agencies need to invest more funds and resources," Dix said. "OMB is saying you are required under law to do this, and we are using this enforcement mechanism to motivate you to do it."
OMB is doing the right thing, said Greg Garcia, vice president of information security policy and programs at the Information Technology Association of America, an Arlington, Va.-based IT trade group.
"This is what the government needs to do, which is to lead by example," he said.
OMB's strategy will be effective, IT contractors said. However, some said it might not be possible -- or a good idea -- to abandon IT development for cybersecurity improvements in every case.
"This is a rather dramatic step," Picarelli said. "[Evans] said cybersecurity is the most important priority regardless of what else you're doing. That may be true, but that might not be true in every case."
Nevertheless, Picarelli said he's sure Booz Allen staff are now visiting the 18 agencies, showing potential customers how the company has improved cybersecurity at the Defense Department, Internal Revenue Service and National Security Agency.
"If that means we have to stand down our people that were thinking of selling them integration services, so be it. The rules are the rules," Picarelli said.
Staff Writer Gail Repsher Emery can be reached at firstname.lastname@example.org. Government Computer News Staff Writer Jason Miller contributed to this story.