GISRA report finds information security woes

Many government agencies have pervasive problems with information security, including a lack of management attention, poor controls on contractors and inadequate monitoring of system activities, according to a new report by the Office of Management and Budget.

The Feb. 13 report is OMB's first to Congress as required under the Government Information Security Reform Act of 2000. The report identifies six problems:

*Lack of senior management attention to security;

*Inadequate accountability for job and program performance related to IT security;

*Weak or nonexistent security education;

*Poor integration of security projects into capital planning and investment control;

*Weak security controls for contractor services;

*Inadequate systems to test and monitor system activity.

The annual report is a benchmark against which OMB and the agencies will monitor their performance improvements, said Mark Forman, OMB's associate director for information technology and e-government.

OMB identified the six weaknesses in a review of more than 50 agency reports filed under GISRA. In the report, OMB wants agencies to:

*Greatly increase senior management's attention to security;

*Establish measures to evaluate the performance of officials with security responsibilities;

*Improve security education and awareness;

*Integrate security into the capital planning and investment control process;

*Ensure that contractor services are secure;

*Improve their ability to detect, report and share information on vulnerabilities.

Agencies have developed and begun implementing plans to fix security problems, as required by OMB guidance issued in October 2001, the report said.

The guidance directed agencies to report security costs for IT investments; document that security controls are incorporated into each IT investment; reflect the agency's security priorities as reported in their corrective action plans; and tie their corrective action plans for IT investments directly to their business cases for those investments.

"OMB has made it a policy to stop funding projects that do not adequately address security requirements and neglect to document how security planning and funding is integrated into the project's life cycle," the report states.

Almost 60 percent of agencies reported spending between 2.1 percent and 5.6 percent of their total IT investment on security. Five agencies said they spend between 7.3 percent and 17 percent, and five agencies reported expenditures between 1 percent and 2 percent.

The Bush administration's fiscal 2003 budget plan calls for spending $4.2 billion in on information security, up from $2.7 billion in 2002.

But Forman has cautioned against equating the amount of money spent with the quality of agency information security.

At a budget briefing with IT industry officials earlier this month, Forman said: "The vast majority of the agencies wanted more money, and got more money [for security]. That said, [a statistical analysis showed] the amount of money spent does not consistently determine how good a security program is. Money doesn't change the fact that the head of an agency is not focused on security."

Real improvement will result from significant attention to the six weaknesses OMB identified, the report said.

To improve oversight of security improvements, the report says OMB plans to:

*Consult with agencies on their progress;

*Incorporate security into the scorecard rating each agency on its progress toward meeting the president's government management goals;

*Encourage agency inspectors general to monitor security improvements;

*Assist agencies in developing management-level performance measures for security.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

I agree to this site's Privacy Policy.