OMB mulls adding information security requirements to budget regs

The Office of Management and Budget is looking at ways to better incorporate security into agencies' funding requests for information technology systems, including revising regulations governing how agencies formulate their budgets.

At most agencies, security is added to information systems and architectures long after the technology is in place. That leaves agencies with vulnerabilities and management issues that cannot be solved unless security is built into the systems, said Glenn Schlarman, policy analyst at OMB's Office of Information Policy and Technology, speaking Tuesday in Falls Church, Va., at a conference sponsored by the General Services Administration's Office of Information Security.

"For the security of a system, [information security] fundingemust be woven into the funding of the [entire] system," he said.

To make security a more fundamental part of agency IT system development starting in fiscal 2001, OMB is studying ways to revise Circular A-11, the document regulating how agencies develop their budget estimates for the president.

"Security will, in all likelihood, be part of that next year," Schlarman said.

Many agencies have called on Congress and OMB to develop emergency or supplemental money for security, similar to the funding offered for solving last-minute Year 2000 problems. But that kind of approach is not going to work for something as broad and complex as information and systems security, Schlarman said.

"If we look at security as a standalone thing that requires a pot of money, then we miss the mark," he said.