Security reports get mixed reviews

OMB fiscal 2001 security report

Agency self-assessments, released by the Office of Management and Budget in a Feb. 13 report to Congress, reveal that familiar information security challenges still exist and that throwing more money at the problem doesn't seem to help.

Agencies submitted the self-assessments to OMB last October, as is required by the Government Information Security Reform Act (GISRA), signed into law in October 2000 as part of the fiscal 2001 Defense Authorization Act. The law also requires that OMB submit a report to Congress on the self-assessments.

This is first time agencies have identified their vulnerabilities on a system-by-system basis. Subsequent reports will detail whether vulnerabilities have been fixed or whether new ones have appeared. "OMB views this report, along with agencies' [GISRA] reports, as a valuable baseline to report agency security performance," the report states.

The self-assessments reveal pockets of excellence among the larger picture of poor security practices, according to the report. However, achieving better oversight of security programs is closer than ever.

The security weaknesses fell into six categories:

*Little attention from senior management

*Inadequate performance measures

*Few security education and awareness programs

*Poor integration of security funding into capital planning and investment

*Few controls over contractors' security requirements

*Virtually no meaningful systems to detect, report and share incident information

In fiscal 2002, agencies plan to spend more than $2.7 billion on security — almost 5.7 percent of a total information technology investment of almost $48 billion. The fiscal 2003 request for $4.2 billion for security out of a total of $52 billion, raises that percentage to almost 8.1 percent.

The OMB analysis, however, could show no evidence that the percentage of money spent on security in any way affected the level of security performance, according to the report.

OMB, along with the CIO and Procurement Executives councils, the National Institute of Standards and Technology, the President's Management Council and the newly formed Critical Infrastructure Protection Board, are developing measures to address each of these weaknesses. This includes:

*Developing governmentwide performance measures to help employees and managers accountable for their security responsibilities.

*Integrating security into the five items graded as part of the President's Management Agenda score card.

*Focusing high-level, detailed attention on training and best practices through committees on the CIP Board, the CIO Council and NIST.

*Developing recommendations for how to address security in contracts with the private sector.

*Establishing a training program to ensure appropriate contractor security training.

Agencies must also provide OMB with quarterly reports on their progress on correcting vulnerabilities specific to their agency, which should "bring agencies a long way toward positive overall security performance," the report states. OMB's evaluation of those corrective actions will be included in next year's report.