Agencies show security progress

Fiscal 2002 GISRA report

In the fiscal 2002 report on their information security status and practices, agencies for the first time showed measurable progress on governmentwide security needs and agency-by-agency efforts.

Overall, agencies made progress on the significant problem areas identified by the Office of Management and Budget in fiscal 2001, such as a lack of performance measures and the inability to integrate security measures into the capital planning process. However, agencies still have a long way to go, according to the report, dated May 16 and released late last week.

For example, the number of systems with an up-to-date security plan rose from 40 percent in fiscal 2001 to 62 percent in fiscal 2002. That is a big jump, but it is still quite a way from the 100 percent requirement.

This is the last report under the Government Information Security Reform Act of 2000. From now on, agency security efforts will be outlined as part of GISRA's follow-on legislation, the Federal Information Security Management Act of 2002, which passed as part of the E-Government Act.

Both GISRA and FISMA require agencies to submit annual security evaluations to the Office of Management and Budget, and for OMB to submit a summary report to Congress.

The fiscal 2001 evaluations provided a baseline by determining the current state of agency's security practices, problems and solutions. In the fiscal 2002 report, OMB highlighted the changes, including the significant improvements agencies are making towards governmentwide goals and the distance agencies still have to go to actually meet the goals.

In the fiscal 2002 guidance, OMB set out detailed governmentwide performance measures, including the number of systems that have been through a risk assessment, the number of systems with security control costs integrated into their lifecycle costs, and the number of systems with a contingency plan.

An automated self-assessment tool developed by the National Institute of Standards and Technology played "an important role" in helping agencies through the collection of these and other metrics, according to the report.

The reports also revealed several new governmentwide challenges:

* Many agencies are finding the same security weaknesses every year.

* Some chief information officers and inspectors general have different views in their separate evaluations of an agency's security.

* Many agencies are not prioritizing security for existing systems before seeking funding for new systems.

* Not all agencies are reviewing all of their systems, despite the law's requirement that they do so.

* Agencies are still not incorporating security responsibility and accountability into every position across the agency.

OMB already has measures in place to address many of these problems, including working the changes into agencies' processes through the budget.