OMB delivers positive IT security report

The Office of Management and Budget today presented its report on managing information security systems to Congress. The report showed steady progress in closing security gaps in federal agencies.

OMB’s report, “FY2005 Report to Congress on Implementation of the Federal Information Security Management Act of 2002,” found 85 percent of IT systems to be certified and accredited — a 19-percent increase from last year. The quality of the certifications and accreditations at the agencies also increased, with 17 of 25 agencies rated as satisfactory or better. Corrective plans of action were deemed effective for 19 agencies.

However, some areas still need improvement. The report found that nine agencies rarely or sometimes check information systems used by contractors. It noted that one agency did not evaluate that element in its report. Also, testing of security controls dropped by four percent from fiscal 2004, and efforts to report security incidents, such as the spread of an Internet worm, were sporadic, according to the report.

OMB reported that six agencies had weak agencywide plans of action and milestones, and eight agencies were rated as poor for their quality of certification and accreditation processes.

To get the highest rating under the Expanded E-Government Scorecard, agencies must have inspectors general verify their departmentwide IT security remediation process, rate their certification and accreditation process as satisfactory, and have 90 percent of their IT systems properly secured.

OMB added three more criteria for agencies to keep that high score. By July 1, agencies must have all systems certified and accredited and maintained with security configurations. They also must have a consolidated agency infrastructure that provides for continuity of operations, according to the report.