OMB updates security guidelines

Agency officials could be held accountable for inadequately securing their information systems under new guidelines issued by the Office of Management and Budget.

The key change in the guidelines, released July 2, are the criteria for evaluating the performance of federal officials with security responsibilities.

Developed in response to agency requests, the performance measures examine the percentage of systems that have an up-to-date security plan, the security budget for each system and the number of employees who received specialized security training. Poor results could impact an agency's budget.

Early security rules and regulations have established measurements for security systems, but few have focused on the performance and accountability of the managers overseeing those systems, experts say.

"We're really in the elementary stages here, but you have to start somewhere and this is an excellent start," said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration.

The guidelines build on information garnered from the reports agencies first submitted last year under the Government Information Security Reform Act of 2000. GISRA requires federal chief information officers and inspectors general to annually evaluate agency information security practices and report the results to OMB.

Mark Forman, OMB's associate director of information technology and e-government, said the baseline reports from last year are a good start, but don't go far enough. "We need to track progress on improving the baseline...but we don't want to make this a rote exercise," he said.

The performance measures will help OMB track the outcomes, Forman said. "This allows us to track the results, not just the actions they've completed."

This year, reports must include an evaluation of agency officials based on the criteria OMB has provided. The performance measures represent a minimum required response, according to the guidelines.

For example, agencies must create "plans of action and milestones," which outline how officials plan to fix vulnerabilities discovered during the evaluations. Such plans were incorporated into the fiscal 2003 budget request, and future plans will continue to be part of the budget development process, according to the guidelines.

Agencies will be assessed on their progress in managing information security at the department level and at the bureau, agency or office level.

Performance measures provide needed direction for agency accountability, but they are not as stringent as they might be, McDonald said.

The guidance "makes clear to agencies the areas they need to concentrate on," she said. "OMB did an excellent job. I don't think they are particularly onerous, and I think that they're good measures and ones we can deal with."

Capt. Sheila McCoy, who leads the Navy Department CIO's information assurance team, said the guidelines have "more specifics in terms of numbers," but they are in line with what was expected.

But at least one security expert thinks OMB's guidelines are emphasizing the wrong issue.

The guidelines assume that "lengthy risk assessments need to be done before basic security actions are taken," said Alan Paller, director of research at the SANS Institute, an education and research organization for IT security professionals based in Bethesda, Md. Agencies delay taking simple critical steps to protect their systems from common risks while staff and consultants conduct lengthy risk assessments, he said.

The first step is to ensure that "each system passes minimum configuration benchmark testing," Paller said. "If systems are attached to the Internet before they are protected in conformance with the benchmarks, any security action will generally be too late."

It might seem logical to place risk assessment as the first step, but it's the wrong approach, Paller said. "It's like putting a bank in a rough neighborhood. Even before you do that, you put a good lock on the door. You don't need a separate study" to tell you that.

The Navy is in the process of finalizing the criteria the service will use to assess its security measures, McCoy said. "These may or may not be the same things OMB chooses to use," but they will encompass OMB's questions.

"We know that doing this report is part of the process," she added.

GISRA expires on Nov. 29, 2002, but several efforts under way in Congress seek to extend its authority, most notably the Federal Information Security Management Act, introduced by Rep. Tom Davis (R-Va.).

Christopher J. Dorobek and Rutrell Yasin contributed to this story.