Feds earn qualified praise on security

Fiscal 2002 GISRA report

For the first time, agencies have been able to show that they have improved their information security practices, but they should not be complacent, experts said, because there is still a long way to go.

In fiscal 2002, agencies made measurable progress on the significant problem areas identified by the Office of Management and Budget the year before, such as a lack of ways to measure how an agency secures its systems and the failure to include security measures when developing systems.

However, agencies still have a long way to go, according to the report dated May 16. For instance, the number of systems with a security plan increased by more than 20 percent — a significant increase, but still far from the 100 percent requirement.

Yet just being able to measure progress is a big step, said Marianne Swanson, a computer specialist in the National Institute of Standards and Technology's Computer Security Division. Swanson heads the team that developed the Automated Security Self-Evaluation Tool (ASSET), which many agencies are using to perform the annual evaluations required by the Government Information Security Reform Act of 2000.

The most recent data is the last report under GISRA. From now on, agency security efforts will be outlined in GISRA's follow-on legislation, the Federal Information Security Management Act of 2002 (FISMA), which passed as part of the E-Government Act.

OMB highlighted ASSET for playing "an important role" in helping agencies through the collection of these and other metrics. The tool will be tweaked to enhance its reporting capabilities, but there will be no major changes for the fiscal 2003 process, Swanson said.

"As the questions stay the same each year, then you're actually able to map progress or lack of progress at each agency in specific areas," she said.

However, measurements and progress only make a difference if they actually improve agency security, not if they are boxes officials check off to satisfy OMB, said Alan Paller, director of research at the SANS Institute, an information security education and consulting organization.

Tracking how many systems are authorized to proceed after being certified and accredited is a good metric only if everyone is using the same standards, which agencies aren't doing for many areas of security, Paller said.

"You've got a circular system where you're testing for compliance, but you're not specifying what they should be doing," he said.

GISRA has helped raise awareness of security issues, and OMB is continuing the push by including security as a make-or-break point on information technology investments, one civilian agency official said. But it is still sometimes a struggle to get officials agencywide to understand the importance of investing in full security practices, not just solutions, the official said.

NIST is developing new security baseline requirements and guidelines for agencies that will require agencies to assess a system depending on the risks that system faces. The guidelines are mandated under FISMA and are a significant change to the metrics that agencies now use and to the questions they must address when using ASSET, Swanson said.