OMB offers dim view of security

The Office of Management and Budget's report on the first mandated agency security assessments supports the poor view of federal security outlined by auditors over the past few years, a top OMB official said Jan. 24.

The OMB report will be submitted to Congress next month with President Bush's fiscal 2003 budget.

Agency chief information officers and inspectors general in September submitted to OMB the first self-assessments required under the Government Information Security Reform Act of 2001.

OMB is required to provide a summary report to Congress, but this first set of reports revealed "nothing new," Glenn Schlarman, a senior security policy analyst at OMB, said at the General Services Administration's Securing Critical Federal Infrastructure conference.

Agencies spent about $3 billion on security out of the $45 billion spent on IT products across government, with 80 percent of agencies spending 1 percent to 3 percent of their budgets on security.

However, Schlarman said there is no way to tell if the agencies spending a higher percentage of their budgets on security are any more secure than those spending less.

The OMB assessments found that:

* Agency managers at all levels are not measuring the performance of security programs and systems.

* The security education and training in place at agencies is weak, making it hard to hold employees or managers accountable.

* Many technical problems still exist, including a lack of programs to apply security patches and a lack of organized incident handling and response.

Good components do exist within agencies, where a single office or group has a high level of security capability, but "one component can't save an entire agency," Schlarman said.