The federal CIO Council last week released the final version of an initial framework designed to let agencies determine where improvements are needed in their security programs.
Federal Information Technology Security Assessment Framework
The federal CIO Council last week released the final version of an initial
framework designed to let agencies determine where improvements are needed
in their security programs.
The council's security subcommittee developed the Federal Information
Technology Security Assessment Framework to provide agencies with a way
to measure their systems' security against a five-level assessment. The
framework is based on guidance from the Office of Management and Budget,
the National Institute of Standards and Technology and the General Accounting
Office.
"As a CIO, it allows me to focus on the asset itself and identify [not
only] what I'm doing well that may be repeatable someplace else but also
what I need to fix," said Brian Burns, head of the framework working group
and deputy chief information officer at the Department of Health and Human
Services.
Work on the framework began early this year, and subcommittee chairman
John Gilligan intended to give it to Rep. Stephen Horn (R-Calif.) to determine
the security grades he issued in September. But Horn used a questionnaire
developed by his staff, instead, and the governmentwide result was a D-minus.
Now the CIO Council and OMB are recommending that agencies start using
the framework to perform the annual assessments required under the new Government
Information Security Reform Act, passed in October as part of the fiscal
2001 Defense Authorization Act.
NIST is developing a companion to the framework, a self-assessment questionnaire
to be released early in 2001.
NEXT STORY: DOD procurement chief: Just deliver