OMB: Agencies improve IT security, but many are short of goals

Agency IT security has shown marked improvement over the last three years, but too many departments still fall short of Federal Information Security Management Act goals, OMB reported today.

Agency IT security has shown marked improvement over the last three years, but too many departments still are falling short in meeting the goals of the Federal Information Security Management Act, the Office of Management and Budget said today in its (PDF) to Congress.After reviewing almost 8,000 systems, OMB found that 62 percent have been certified and accredited by the agency’s inspector general or a private-sector third party. This was short of OMB’s goal of certifying 80 percent by Dec. 31, 2003. And because of these shortfalls, OMB is requiring agencies to fix the problems before spending any money on development, enhancement or modernization projects in fiscal 2004 .OMB also found half of all major agencies do not have a security remediation process verified by their IGs. This was again short of OMB’s goal of all 24 agencies having a confirmed process to identify, track and correct weaknesses.Additionally, agencies fell short of OMB’s third goal for fiscal 2003—integrating security into the lifecycle of at least 80 percent of all IT systems. OMB said 78 percent of all agencies met this requirement.There was some good news: The government improved in all seven categories OMB evaluates. This year, OMB wants agencies to improve their incident prevention and management capabilities by increasing their emphasis on reducing the impact of worms and viruses, the report said. The Commerce Department, NASA, the National Science Foundation, the Nuclear Regulatory Commission, the Office of Personnel Management and the Social Security Administration were the among the agency leaders, reporting at least 79 percent of all systems meeting the requirements in all seven categories.
annual report



(Click for GCN story)







  • 78 percent of all systems have been assessed for risk and assigned a risk level, up from 65 percent in 2002.


  • 73 percent of all systems have up-to-date IT security plans, an increase of 11 percent over last year.


  • 68 percent of all systems have contingency plans, up from 55 percent last year.






  • NEXT STORY: Army winter conference begins