IG infosec reports cite agency shortcomings

Guidance on the Release of Security Act Reports

Agencies have submitted the first set of reports on their information security practices, and Office of Management and Budget officials are holding tight to the reviews prepared by chief information officers. But those released by inspectors general provide a glimpse into the security problems facing agencies.

Each agency had to submit two assessments of its information security policies under the Government Information Security Reform Act signed last October as part of the fiscal 2001 Defense Authorization Act. GISRA not only requires agencies to better manage their security, it also requires them to document their progress through a self-assessment and an independent review by the IGs.

OMB allowed IGs to choose whether or not to release their reports to the public. Several—including those from the Agriculture, Transportation and Energy departments—have made their reports available on their Web sites.

Those reports reveal many common problems, including weak controls that allow unauthorized employees to access sensitive systems. But the IGs also found evidence that agencies are starting to adopt practices advocated by central resources such as the CIO Council.

Although the reports may raise the awareness of agency executives, they may not prove entirely helpful to the people working on security, said William Hadesty, the USDA's associate CIO for cybersecurity.

The USDA has established a departmentwide security program and has enacted many of the measures required by law at the department level. But few of them have filtered down to the agency level, especially with regard to incident response and performance measures, according to the USDA's IG office.

The USDA has begun instituting many of the security practices required by GISRA, Hadesty said at the E-Gov Information Assurance Conference last month. But the GISRA guidelines issued by OMB earlier this year will not help the department address its weaknesses, he said.

GISRA does not spell out the ramifications for agencies whose assessments reveal poor security, but it does require agencies to provide a follow-up report with re.mediation plans and milestones for fixing weaknesses. Hadesty said he does not expect those plans to help the USDA either because they will be based on the GISRA format.

Instead, he is awaiting the results of a General Accounting Office review of GISRA and the OMB guidance on developing the reports. Rep. Stephen Horn (R-Calif.), chairman of the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee, requested the review in March.