OMB: Secure systems or else

OMB Information and Regulatory Policy

Following through on a threat made a year ago under the Clinton administration, Office of Management and Budget officials says they will withhold money from agency systems' 2002 budgets that fail to meet the minimum security requirements laid out in last year's memo.

Agencies have until next month — when President Bush's detailed budget is released — to tighten their systems.

But until then, OMB has put on hold the funding requests for several new and existing systems in which agencies have yet to show they have included information security as integral to the system's architecture, said Glenn Schlarman, a security policy analyst at OMB's Office of Information and Regulatory Affairs.

OMB has used similar fiscal tactics successfully before to enforce policy, and agencies have known about the policy since February 2000. Schlarman said OMB is willing to use that powerful hammer to get agency administrators' attention.

"We want explicit documentation of the [system's security] as we go along," he said.

OMB would not specify which systems were at risk of delayed funding, and most agencies did not return calls or declined to comment on the status of their funding requests. Information technology officials at both the Commerce Department and NASA did say they weren't aware of any of their systems being delayed. But cutting funding to a system already under way poses "a big management problem," said David Nelson, deputy chief information officer at NASA.

"These systems don't turn off like a faucet; it's like turning a battleship, and this definitely is something you will do anything to avoid," he said.

Although threatening a system's funding is not new at OMB, this is the first time that security has been a specific factor in the decision, which highlights the importance that OMB places on the issue, said John Spotila, an OIRA administrator under the Clinton administration.

OMB has advocated overall IT investment planning within federal government since 1996 when then-director Franklin Raines put out eight "rules" that agencies should follow. But many budget requests failed to incorporate those rules until the 2001 budget cycle, Spotila said. That's when OMB instituted funding cuts if the agency did not provide adequate plans in their system requests.

OMB developed the memo on security after successfully using its funding authority clout in 1999 and offered agencies help from OIRA staff and security experts from the National Institute of Standards and Technology. The fact that agency system budgets can still be cut under the Bush administration because of inadequate security plans shows the continuing commitment to plan first and spend later, said Spotila, now chief operating officer at federal contractor GTSI Corp.

"Just as in the '99 process, when we put proposals on hold because they were not properly thought out, OMB has done the same thing here and the president is backing them up," he said.

Many reports from the General Accounting Office call for agencies to think more about security in developing systems, and OMB's use of a key enforcement tool can only be good over the long run for government security, said Jean Boltz, a security analyst at GAO.