Further security guidance given

"Guidance for Preparing and Submitting Security Plans of Action and Milestones"

The Office of Management and Budget last week released additional guidance on how agencies must comply with a new law that pulls all of the federal information security mandates together and calls for reports that the administration and Congress will review.

Under the Government Information Security Reform Act of 2000, agencies must undergo annual self-assessments and independent assessments of their security practices and policies. Agencies sent OMB the first set of reports on the results in September.

By Oct. 31, agencies must turn in plans of action and milestones on how they plan to fix the weaknesses found in those assessments and indicate the resources and timeframe for those corrections. The new OMB guidance provides detailed instructions on what information must be included in the reports, the format, how they will be tied to the budget process, and what to include in the quarterly updates to follow. The first update is due Jan. 31, 2002.

The plans must either be consolidated with or accompanied by other agency plans to correct security weaknesses found in other reviews, providing a better view for agency heads, OMB and Congress.

"A consolidated [plan] provides a road map for continuous agency security improvement, assists with prioritizing corrective action and resource allocation, and is a valuable management and oversight tool," according to the guidance.

The guidance is based on questions provided by agencies after OMB released its instructions for the assessment reports in June. It is presented in a question and answer format, with a sample plan that outlines the eight categories of information agencies must provide:

* The type of weakness.

* The responsible office or organization.

* Estimated funding and resources required.

* The scheduled final completion date.

* Key milestones and completion dates.

* Milestone changes.

* The review that found the weakness.

* The plan's status (ongoing or completed).

Agencies should turn over the initial plan to OMB on a diskette as a Microsoft Corp. Excel worksheet. OMB is not requiring a specific format for the status updates.