What the security act requires

This is an excerpt from the Office of Management and Budget's draft guidanceon what agencies must do to comply with the Government Information SecurityReform Act:

"For non-national security programs, each agency head shall transmitto the OMB director an annual security review that includes:

1. An executive summary of how the agency is implementing the requirementsof the security act, and

2. The annual program reviews and independent evaluations.

The executive summary shall consist of two components, one preparedby the inspector general (IG) characterizing the results of the independentevaluation and the other prepared by the chief information officer (CIO),working with program officials that is based on the results of the annualprogram reviews. These summaries will be the primary basis of OMB's summaryreport to Congress."

OMB calls for the annual program security reviews to be based on 11questions, including the following:

* "Identify the agency's total security funding.... This should includea breakdown of security costs by each major operating division or bureauand include critical infrastructure protection costs that apply to the protectionof government operations and assets.

* Report any material weakness in policies, procedures, or practicesas identified.

* Describe the specific performance measures used by the agency to determineand ensure that agency program officials have:

1. Assessed the risk to operations and assets under their control.

2. Determined the level of security appropriate to protect such operationsand assets.

3. Maintained an up-to-date security plan for each system supportingthe operations and assets under their control that is practiced throughoutthe life cycle.

4. Tested and evaluated security controls and techniques.

* Describe the agency's documented procedures for reporting securityincidents and sharing information regarding common vulnerabilities.

* Provide a strategy to correct security weaknesses identified. Includea plan of action with milestones that include completion dates that:

1. Describes how the agency plans to address any issues/weaknesses.

2. Identifies obstacles to address known weaknesses."