OMB's double-edged security sword

The White House's get-tough stance on information security practices this

month has drawn a mixture of satisfaction and concern from agencies.

The Office of Management and Budget issued a memorandum ordering agencies

to explain how they will include security measures in information systems — at the risk of losing funding. Top information technology managers believe

that will help focus attention on the need for more effective security.

But managers also fear the requirement is short on specifics, making

it difficult for agencies to interpret exactly what OMB wants from them.

The OMB memo, issued late last month, outlines six principles and five

guidelines agencies must follow and forces agencies to describe in their

budget requests — starting with fiscal 2002 — how their security plans meet

these requirements. If agencies' explanations do not satisfy OMB, funding

for their information systems will not be included in the president's budget.

"In general, OMB will consider new or continued funding only for those system

investments that satisfy these criteria and will consider funding information

technology investments only upon demonstration that existing agency systems

meet these criteria," the memo states.

For many agency chief information officers, the threat of losing funding

for information systems will better focus IT staffs on security, not only

for individual systems but for agencies' entire information architectures.

At most agencies, the responsibility for IT is dispersed across the agency.

The NASA inspector general last month told the Senate Governmental Affairs

Committee that the lack of central IT responsibility is a severe handicap

to the agency's attempts at securing its systems.

The Energy Department has had similar problems with its national labs, and

last year Secretary Bill Richardson changed the agency's structure to give

CIO John Gilligan control of all IT and security measures. But even with

these changes, it is often difficult to convince the labs to listen, Gilligan

said.

But the OMB memo should give more authority to the CIO, Gilligan said. "I

think OMB is trying hard, and I applaud their efforts," said Gilligan, who

is also co-chairman of the CIO Council's Security, Critical Infrastructure

and Privacy Committee. "This tries to provide a tool for enhancing the focus

on security."

Alan Balutis, deputy CIO at the Commerce Department, also said the memo

should give CIOs more power by tying IT so closely to budget decisions.

Still, agencies may have a difficult time determining how OMB will evaluate

their security reports and budget requests.

The guidance in the memo is vague, and CIOs do not want to make a wrong

guess at what OMB is looking for, Gilligan said. "We'll have subsequent

dialogues with OMB where we'll define specific formats and how to comply,"

he said.

OMB will likely "evaluate solutions on a case-by-case basis, and these

are the general guidelines," said Elliot Witmer, principle consultant at

Federal Sources Inc.

No matter how OMB evaluates each agency's systems, the new guidelines

will make agencies re-evaluate their own internal processes. "I think it'll

take some changes in thinking.... It may change the timing of how we put

the budget together," said one agency IT official. "Sometimes the budget

is developed so far ahead, there aren't any specifics yet. This will force

agencies to think of those specifics."