OMB's action plan

In compiling agencies' information security self-assessments, the Office of Management and Budget identified six general weaknesses apparent across government. OMB then put together action plans for addressing those weaknesses.

Weakness 1: Lack of senior management attention.

Actions: OMB is working through the President's Management Council and the Critical Infrastructure Protection Board to promote sustained attention to security as part of the President's Management Agenda, and has sent security letters to each agency's leader highlighting this problem.

Weakness 2: Inadequate personnel performance measures.

Actions: OMB is working with agencies and experts to develop workable measures of job and program performance to hold federal employees accountable for their security responsibilities. Information technology security improvements will be evaluated quarterly as part of the President's Management Agenda score card.

Weakness 3: Few security education and awareness programs.

Actions: OMB and agencies are working through the Critical Infrastructure Protection Board's education committee and the CIO Council's Workforce Committee to address this issue. The CIO Council's Best Practices Committee also is working with the National Institute of Standards and Technology through its Federal Agency Security Practices Web site to identify and disseminate security training best practices.

Weakness 4: Poor integration of security funding into capital planning and investment.

Actions: OMB is working with agencies during the budget process to ensure that security is included as an integral part of their business cases for IT projects.

Weakness 5: Few controls over contractors' security practices.

Actions: A group, working under the guidance of the OMB-led Critical Infrastructure Protection Board Executive Branch Information Systems Security Committee, will recommend how to address security in contracts. OMB will also work with the CIO Council and the Procurement Executives Council to establish a training program that ensures appropriate contractor training in security.

Weakness 6: Few systems to detect, report and share incident information. Far too many agencies have virtually no meaningful system to test or monitor system activity and, therefore, are unable to detect intrusions, suspected intrusions or virus infections.

Actions: The General Services Administration's Federal Computer Incident Response Center reports to OMB on a quarterly basis on the federal government's status on IT security incidents. Additionally, under OMB and Critical Infrastructure Protection Board guidance, GSA is exploring methods to disseminate security patches to all agencies more effectively.