The starting point

Scrutiny of information security at federal agencies was certain to be discouraging, and it was. But it's like going to the dentist with a toothache. You know the news will not be good, but identifying a problem is the first step toward solving it.

So when the Office of Management and Budget compiled a fairly damning report based on assessments performed by the chief information officers and inspectors general at 24 agencies and delivered it to Congress Feb. 13, security experts saw it as a good thing.

The report, required under the Government Information Security Reform Act (GISRA) of 2000, marks the first cross-agency study of security practices in the federal government. The bad news — described in terms of six common weaknesses across agencies — was not especially surprising.

But what has been lacking is the agency-by-agency, system-by-system study this report provides. OMB's methodical approach to diagnosing the problem has given the Bush administration the information it needs to determine the cure.

In preparation for the study, OMB provided CIOs and IGs with guidelines on what to report and how to report it. Those guidelines ensured that OMB, agency officials and Congress would be able to compare, contrast and compile a report on the state of security at agencies.

"We've known the problems for some time, but this is the first time we saw it in one document, drawn together," said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration. McDonald's office is the lead for many of the governmentwide security programs used by agencies.

That broad assessment was, in fact, one of the reasons for writing the law.

"While some of the reports weren't that good, and some of the agencies aren't where we want them to be, at least the law forced [agencies] to identify what the problems are, and at least they are at the point where they know what they need to be doing," said a senior aide on the Senate Governmental Affairs Committee. Sen. Joe Lieberman (D-Conn.) and Sen. Fred Thompson (R-Tenn.), chairman and ranking member on the committee respectively, co-authored GISRA in 1999.

The report also provides an important blueprint for improving security across government — and even highlights a few agencies that get security right — but such improvements would not be possible without a baseline to measure progress, and that's what the report provides, observers say.

As agencies move forward with their corrective action plans and as OMB leads the governmentwide corrective efforts, officials and Congress can measure whether those actions are in fact doing any good, McDonald said.

"We can only improve from here," she said.

Unvarnished Truth

A baseline is only useful if it is accurate. Because the report relied on agency self-assessments, some observers feared that agencies would either cover up weaknesses or soft-pedal the bad news. But the reports OMB received were often blunt descriptions of the problems within programs.

"Some of the reports from the CIOs were quite candid and revealed problems that one might expect to come only from an [inspector general]," the report states.

The Agriculture Department, for example, admits that although officials recognize the need for precise security performance measures, they have not yet published any such policy or guidance. And the Defense Department provided a detailed explanation of how its "cumbersome IT management processes and outdated IT policies" undermine its IT security program.

OMB managed to elicit such honest conclusions from self-assessments by building a "double check" into the process, McDonald said. Agency IGs were asked to assess the same areas as the CIOs. It would look bad if one report included a weakness the other did not, she said.

OMB also made it clear that the GISRA reports would be included in the fiscal 2003 budget requests, taking that extra step to ensure that security was considered part of the larger program management issue, said Kamela White, an OMB policy analyst.

The truth, of course, does hurt sometimes.

GISRA is not the first law to require agencies to beef up security. Many departments are just now putting in place plans to address requirements dating back to the Computer Security Act of 1987. Even though GISRA was developed to address continuing weaknesses, it is still disturbing that agencies are only now beginning to address those old requirements, White said.

At the Commerce Department, for example, "despite a history of weaknesses in their security program and security for individual systems, the department appears to still be in the mode of developing security plans," the OMB report states. "While planning is essential, this has been an explicit statutory requirement since the enactment of the Computer Security Act of 1987, and by now, the department should be executing reliable and established processes."

Weaknesses in security training were the most commonly cited problems when it came to complying with the Computer Security Act.

Some agencies, including the Education Department, have recently established training programs. Education reported that 98 percent of its general staff had received awareness training, but could not report on what specialized training its program staff received.

Others, such as the Department of Health and Human Services, could only report that "most of their agencies 'provide some sort of security training,'" according to the OMB report. HHS did report that it has awarded a departmentwide contract to provide security awareness training to all of its employees by July 2002.

What Works

The news was not all bad, though. For each of the six areas of weakness, OMB also identified agencies that that are beginning to address the problems.

When it comes to integrating security into capital planning for information technology, for example, the Labor Department has one of the best programs, according to OMB.

Much of this can be attributed to Labor's overall focus on IT planning, said Laura Callahan, the department's deputy CIO and director of its IT Center. Department officials bring together the IT requirements from across all of its agencies to obtain better deals from vendors and control over investments, Callahan said.

This was not an easy program to put in place, because agencies never like giving up control, much less money, to the department level, Callahan admitted. But last year the department started pulling together common IT requirements, including security, and asking for money from relevant agencies with the promise that the return would be much greater, she said.

For example, an agency that was going to spend $10 million on its own intrusion-detection system could contribute $6 million toward buying a departmentwide system, use the extra $4 million for other security concerns and still get the system they needed in the first place.

The program has been so successful that more Labor agencies want to get involved and are being turned away because they do not fit into the requirement profiles the department has developed, Callahan said.

The GISRA assessments and reports also have become an important management tool at Labor, Callahan said. "It helped us understand where we needed to focus our resources, and then we could prioritize our investments effectively."

Callahan's staff looked at the assessments and identified three areas to focus on: contingency planning, certification and accreditation, and enterprise training and awareness. The system-specific security weaknesses found in the assessments are being dealt with at the program level, Callahan said.

"Really looking at [GISRA] from a high level it's been a wonderful management tool, and it goes down to an operational level because it sets out the goals and milestones for addressing each of the system weaknesses," she said.

Some departments are trying other methods for increasing their central security control. For fiscal 2002, HHS created an IT Security and Innovation Fund and received more than $20 million from Congress for it.

The fund will allow the department to develop enterprise solutions on its own, instead of relying on the dubious generosity of its agencies and components, said Brian Burns, deputy CIO at HHS.

"This will help us to focus on key areas and focus the enterprise funding now available at the department level to move forward quickly," he said.

It will also ensure that the smaller agencies — those that normally wouldn't have the money for their own solutions or to contribute to a departmentwide solution — can get involved, Burns said.

OMB also highlighted the database the Justice Department developed to track and remedy security weaknesses on a system-by-system basis. That database includes security information on all of the problems found during system certification and accreditation, IG audits, department hacking tests and other reviews.

The Way Forward

The OMB report, then, essentially put down two markers: The first one establishes a beginning point, the other a destination. The question now becomes, how do we get from here to there?

Just identifying a destination is a start. The successful programs uncovered by the GISRA report are not just exceptions to the rule, but models for how to move forward, government officials believe.

The administration is likely to develop governmentwide policies using the successful programs as "best practices." OMB also might use the programs as the basis of recommendations put forward through the Critical Infrastructure Protection Board's new committee on executive branch information systems security, which OMB heads.

OMB already is making security planning a part of the budgeting process. Officials required agencies to report on secu.rity spending for each system budgeted, beginning in fiscal 2002, and it was the topic of much discussion between the agencies and OMB during the budget development process last year, officials said.

It's difficult at this point to see the impact of these discussions on security practices. On the one hand, security spending is on the rise, from $2.7 billion out of almost $48 billion for IT in fiscal 2002 to a request for $4.2 billion out of $52 billion for fiscal 2003.

But as Mark Forman, OMB's associate director for IT and e-government, has pointed out, the administration has found no apparent link between high percentages of security funding and high levels of security performance.

Still, this year's budget discussions showed that agencies are giving more thought to security as part of system development, White said. "Reporting costs demonstrates that security has been integrated into the overall life cycle planning for that system, that the agency has gone and identified the necessary security controls to protect that system," she said. "It's not a metric for good security performance, it's a metric for good security management."

Many of OMB's other plans for expanding governmentwide training programs and developing recommendations for performance measures have just begun and will be a major part of the first meeting of the Critical Infrastructure Protection Board's committee in the coming weeks, according to Forman.

The board, composed of deputy secretaries or their designees, will be a major force for integrating governmentwide actions into each agency's IT management program, McDonald said. But its biggest role may be to help explain within the agencies what is going on, she said.

"We can only chastise so much, and then we've got to educate," she said. "Laws are fine, but not everyone stops for a red light. It's education and getting people to understand why the law was put in place, how it benefits them to have everyone follow it. That is the important part."

OMB is evaluating agencies' progress with their own corrective action plans on a quarterly basis, measuring agencies against each goal outlined in their plans. Officials completed the first evaluation at the end of January, and the next is due at the end of April. Those evaluations will be included in the e-government management evaluations conducted as part of the President's Management Agenda score card, Forman said.

The score card grades agencies' performance on the five agenda items: strategic workforce management, expanded use of e-government, increased competitive bidding of government services, improved financial performance and linking performance to budgets.

This consistent focus on a single management methodology — which includes refocusing senior managers' attention, performance metrics and, particularly, enterprise architecture — is an important one because it moves the agencies toward a more long-term solution by making security part of their management process, McDonald said.

Without that, agencies will be no better off in the next report than they are now because new problems will have cropped up even though the old ones may be fixed, she said.

"You can't just stick on a Band-Aid. You've got to get into the heart of things, and for that, architecture is key," she said.

Congress will also be watching those management score cards, even though GISRA does not require OMB to brief Congress on the quarterly reports, the Senate Governmental Affairs Committee aide said. As members make their way through the OMB report, agencies can expect to be called to hearings and to attend briefings with staff on Capitol Hill, according to the aide.

"I think that together we would look at agencies that did not have good performance and give them time to put in place some of their fixes, and then come back to them and see how they are doing," the aide said.

***

Every solution begins with a question

OMB guidelines instructed federal agencies to report on the following:

* Security spending.

* Number of programs reviewed (the Government Information Security Reform Act of 2000 required that program officials and chief information officers review all programs and systems).

* Methodology used in the review.

* Whether they found material weaknesses reportable under other laws (e.g., the Chief Financial Officers Act of 1990 and the Federal Managers Financial Integrity Act of 1982).

* How they measure the performance of agency officials in fulfilling their security responsibilities.

* The effectiveness of training programs.

* How they detect and report vulnerabilities.

* How they integrate security and capital planning.

* How they prioritize and protect critical assets.

* How they ensure security plans are implemented.

* How they integrate all security programs.

* How they ensure that contractors are adhering to the agency's security practices.