CIOs look to grade fed security

As it becomes more evident that agencies may have licked the Year 2000 problem, the CIO Council has turned its attention to the next big obstacle facing federal information technology: security.

The council has begun to collect and develop a series of benchmarks that will enable Congress and administrators to measure how secure agencies' information systems are, much the way agencies were graded on their Year 2000 readiness.

Many factors are leading to an increased awareness of information security as the next primary issue agency administrators will face.

Presidential Decision Directive 63, issued by President Clinton last year, requires agencies to secure their critical systems against cyberattacks. The Government Paperwork Elimination Act of 1998, which requires agencies to offer their services to citizens on the Internet whenever possible by October 2003, also has led to increased general security and privacy concerns.

With agencies trying to comply with those laws, the council realizes that it must keep track of how well agencies are progressing in securing systems, internally and against other organizations.But establishing a grading system for security may be harder than it was for measuring agencies' Year 2000 efforts, which came with guidelines from the General Accounting Office and the Office of Management and Budget.

"We are waiting for benchmarks that we can measure agencies against," said Don Meyer, spokesman for Sen. Robert Bennett (R-Utah), chairman of the Senate Special Committee on the Year 2000 Technology Problem. "Y2K was easy because of the guidelines from GAO and OMB... but an equivalent for security does not yet exist."

In 1996, Rep. Stephen Horn (R-Calif.), chairman of the House Government Management, Information and Technology Subcommittee, developed the Year 2000 grading system. Those grades were based on objective guidelines and helped check the government's status as well as motivate agencies to put together the often costly solutions.

"It is a powerful motivator, no one wants to be an F," said Fernando Burbano, chief information officer at the State Department, at a conference earlier this month.

Recognizing that the grading system motivated agencies to fix Year 2000 bugs faster than they may otherwise have, the CIO Council and other managers believe grades for security progress may do the same. Bennett, Horn and other members of Congress also have considered the Year 2000 grades as an example of how to keep track of agencies' progress.

But until an equivalent set of benchmarks and guidelines from OMB are in place, a grading system that has any level of confidence cannot be put together, said Matt Ryan, a policy analyst for Horn."I think that we will definitely go that direction, but we need to get a lot smarter on the issues before we start any measurements," he said.

Officials said the CIO Council's Security, Privacy and Critical Infrastructure Committee will work to help lay the groundwork for setting benchmarks that would be instituted early next year, officials said.

"Congressman Horn and OMB have both talked about putting together a potential report card," a CIO Council official said. "We're not trying to pre-empt that, we're just trying to lay out a structure of what they will measure against.... We're just trying to lay out, if there were to be some kind of report card, what would be a level one, two or three."

Working with federal agencies and in cooperation with members of Congress and OMB, the council hopes to develop the benchmarks by the beginning of next year, the CIO Council official said. This not only will help with any congressional effort to measure overall agency progress, but it also will help program and agency managers determine internally how secure their systems are, he said.

"We want to put something as objective as possible out there for the agencies to use," the official said. "It at least tells you where you need to be."