OMB to require more reviews

2002 OMB GISRA guidance

Agencies must evaluate the effectiveness of their information security programs periodically throughout the year, rather than simply conduct an annual review, according to guidance the Office of Management and Budget plans to release next month.

The guidance will highlight new requirements set out under the latest security legislation, the Federal Information Security Management Act (FISMA) of 2002, which was passed last December as part of the E-Government Act of 2002.

Because of the similarities between FISMA and its predecessor, the Government Information Security Reform Act (GISRA) of 2000, the new guidance is designed to make sure agencies understand all the little changes, said Kamela White, security policy analyst at the Information Technology Policy Branch of OMB's Office of Information and Regulatory Affairs. She was speaking March 12 at a meeting of the Information Security and Privacy Advisory Board.

The increased frequency of self-evaluation is one change agencies may be concerned about. It will be difficult for agencies to balance their requirements against the scarce resources and funding in the security arena, board members said. But the National Institute of Standards and Technology is developing guidance now to help agencies determine the most efficient way to do this, said Ron Ross, program manager of the system certification and accreditation program in NIST's Computer Security Division.

OMB's new guidance also will expand on the performance measures first included in last year's GISRA, which included such metrics as how many systems have undergone certification and accreditation.