OMB: Agencies show moderate progress on IT security

Federal agencies are improving in their efforts to secure the nation's information technology framework ? but only moderately so, according to the Office of Management and Budget's fiscal 2006 report.

Each year OMB must report to Congress how well agencies are meeting the security standards set forth in the Federal Information Security Management Act (FISMA) of 2002. In fiscal 2006, agencies spent $5.5 billion to secure the government's total IT investment of approximately $63 billion, OMB said.

The latest FISMA report shows modest improvement and progress in meeting several annual performance measures. The number of agencies reporting having certified and accredited IT systems rose from 85 percent to 88 percent, and there was a 3 percent increase in the number of federal IT systems, from 10,289 in fiscal 2005 to 10,595 last year.

Agencies also increased their testing of security controls and contingency plans in the 12-month period. Agencies tested security controls on 88 percent of their systems, up from 61 percent in 2005. They also tested 77 percent of their contingency plans, up from 72 percent a year ago.

The Defense Department led all agencies in such testing with a 30 percent increase.

In addition, the FISMA report found a 10 percent increase in the number of federal employees receiving security awareness training and a 3 percent increase for employees with significant information security responsibilities.

The report cited "modest success" in meeting several key privacy performance measures, including program oversight and training led by an agency privacy official. "Most agencies report privacy training for Federal employees and contractors, with 92 percent reporting general privacy training and 84 percent reporting job-specific privacy training," it said.

Of the 25 agencies evaluated, only the Office of Personnel Management and the Social Security Administration received a rating of excellent in overseeing the effectiveness of their security procedures. Eight departments were rated poor: Agriculture, Commerce, Defense, Energy, Interior, NASA, Treasury and Veterans Affairs.

OMB also ranked the departments' plan of action and milestones process to correct IT security weaknesses. Nineteen agencies received a rating of effective and six were deemed ineffective, including Defense, Homeland Security, NASA and Veterans Affairs.

In terms of overall effectiveness of security procedures, the FISMA report ranked only two agencies ? OPM and Social Security ? as excellent. Eight agencies received a rating of poor, including DOD, NASA, Treasury and Veterans Affairs. The Nuclear Regulatory Commission was the only one of the 25 agencies to receive a failing evaluation.