OMB tweaks info security rules

The official rulebook on federal information security will contain a few surprises for agency officials when the Office of Management and Budget releases its finished guidelines for 2004. However, each of the changes fixes things that lawmakers and agency officials have said needed revision.

Lawmakers got a preview of some of those changes this week from Karen Evans, administrator for electronic government and information technology at OMB. Among the changes, she said, will be a new requirement for agencies to list their operating system configuration standards in a report that goes to OMB and Congress.

At several congressional hearings on cybersecurity, Rep. Adam Putnam (R-Fla.) has expressed astonishment that only five out of 24 federal agencies have an accurate count of their information systems, as revealed in OMB's latest Congressional report on the Federal Information Security Management Act.

Putnam chairs the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee. His subcommittee asked Evans and other federal and industry officials to testify June 2 at a hearing on the growing threat of network vulnerabilities.

Evans told lawmakers the revised guidelines will require agency officials and each agency inspector general to vouch that systems are configured to the minimum-security standards they cite in their FISMA reports. Last year, OMB officials sought information about configuration standards but didn't go far enough, Evans said.

For federal agencies to develop and maintain secure configurations is no trivial task, she added. But some help could be forthcoming from the National Institute of Standards and Technology. Money permitting, NIST plans to set up a Web-based portal to publicize secure hardware and software configurations for systems that are now or likely to become widely used in the federal government, Evans said.

Evans also said OMB's new FISMA guidelines will demand more information from agencies about their procedures for patching security holes in their systems and about the use of security measures such as vulnerability scans and penetration tests.

In another change this year, agency inspectors general and agency officials will have to update their agency's inventory of hardware and software assets at least once a year, Evans said. And they will be asked to compare numbers and to report any disagreement on how many systems the agency actually has.

In other testimony, the subcommittee heard from Amit Yoran, director of the Homeland Security Department's National Cyber Security Division. Yoran said DHS is formalizing its relationships with federal, state and local government agencies, academic institutions, industry groups and businesses through a new effort called the United States Computer Emergency Readiness Team (US-CERT) Partner Program.

Through the program, which he said will begin this summer, DHS officials plan to create a permanent control-system center for collecting, analyzing, sharing and responding to cybersecurity threat information.

Yoran said the control center and a related testing facility will be used to protect the computer and network systems that control the nation's critical infrastructure, which includes power grids, dams and water filtration systems.

Putnman's committee also heard testimony from Robert Dacey, director of information security issues at the General Accounting Office, Dawn Meyerriecks, chief technology officer at the Defense Information Systems Agency, and Daniel Mehan, assistant administrator for information services and chief information officer at the Federal Aviation Administration.