Security plan OK'd

Federal Information Technology Security Assessment Framework

The federal CIO Council last week released the final version of an initial

framework designed to let agencies determine where improvements are needed

in their security programs.

The council's security subcommittee developed the Federal Information

Technology Security Assessment Framework to provide agencies with a way

to measure their systems' security against a five-level assessment. The

framework is based on guidance from the Office of Management and Budget,

the National Institute of Standards and Technology and the General Accounting

Office.

"As a CIO, it allows me to focus on the asset itself and identify [not

only] what I'm doing well that may be repeatable someplace else but also

what I need to fix," said Brian Burns, head of the framework working group

and deputy chief information officer at the Department of Health and Human

Services.

Work on the framework began early this year, and subcommittee chairman

John Gilligan intended to give it to Rep. Stephen Horn (R-Calif.) to determine

the security grades he issued in September. But Horn used a questionnaire

developed by his staff, instead, and the governmentwide result was a D-minus.

Now the CIO Council and OMB are recommending that agencies start using

the framework to perform the annual assessments required under the new Government

Information Security Reform Act, passed in October as part of the fiscal

2001 Defense Authorization Act.

NIST is developing a companion to the framework, a self-assessment questionnaire

to be released early in 2001.