No security, no OMB money

Under a new policy, agencies will receive money from OMB only for computer systems that have adequate builtin security measures

Starting with the fiscal 2002 budget, the Office of Management and Budget

will not pay for systems that have not adequately incorporated security

measures into their information systems.

In a Feb. 28 memorandum to agency heads, OMB Director Jacob Lew outlined

five principles to compel agencies to consider computer security and critical

infrastructure protection programs as they build systems.

Under the new policy, security must:

* Be tied to agencies' information architectures.

* Be well-planned by demonstrating that costs are included in life-cycle

planning systems.

* Manage risks by demonstrating that specific methods and controls are

in place.

* Protect privacy and confidentiality by using security controls and

authentication tools for public access that adheres to government and agency

policies.

* Account for departures from security guidance from the National Institute

of Standards and Technology, the agency designated as the lead for non-national

security applications.

"In general, OMB will consider new or continued funding only for those

system investments that satisfy these criteria and will consider funding

information technology investments only upon demonstration that existing

agency systems meet these criteria," the memo states.