GovernmentExecutive.com

Based on a review of agencies' self-reported cybersecurity weaknesses, the Bush administration has pledged to ensure that cybersecurity is a management priority and will devote extra funding to plug the government's IT security holes, according to a report released Wednesday by the Office of Management and Budget.

The release of the report ends the first round of reporting under the 2000 Government Information Security and Reform Act, which required program reviews and audits of information security practices by agency inspectors general. The first internal reviews were due to OMB by October 2001. OMB sent its overview of the security gaps reported by agencies to Congress Wednesday.

According to the report, agencies have a long way to go in fixing their cybersecurity weaknesses. The report emphasized that security is an "essential management function." Therefore, it said, program officials - not just security officers and chief information officers - are "primarily responsible for ensuring that security is integrated and funded within their programs and tied to program goals."

OMB found six main deficiencies in agency cybersecurity efforts, most of which focus on management rather than technology:

• Senior managers do not currently view cybersecurity as a priority. "[Security] is a management function, which must be embraced by each federal agency and agency head," the report said.
• Program officials are not being evaluated on how well they integrate security into their systems. "Virtually every agency response regarding performance implies that there has been inadequate accountability for job and program performance related to IT security," the report said.
• Agencies are doing a poor job of educating their employees about the importance of cybersecurity. "Some agencies and large bureaus reported virtually no security training," the report said.
• Agencies are still working to integrate security into the budget and planning process. "[Agency] officials must ensure [security] is built into and funded within each system and program through effective capital planning and investment control," the report said.
• Agencies are not including adequate security requirements in IT contracts. "Given that most federal IT projects are developed and many operated by contractors, IT contracts need to include adequate security requirements," the report said.
• Security incidents and intrusions are not being detected or reported to interagency security groups. "Far too many agencies have virtually no meaningful system to test or monitor system activity and therefore are unable to detect intrusions, suspected intrusions or virus infections," the report said.

OMB used the GISRA findings to justify an increase of approximately $1.5 billion in the federal cybersecurity budget.

In fiscal 2002, agencies spent $2.7 billion on cybersecurity. According to the president's fiscal 2003 budget, which was released last week, agencies are expected to spend about $4.2 billion on cybersecurity in the next fiscal year.

In fiscal 2002, the majority of federal agencies reported spending between 2.1 percent and 5.6 percent of their total IT budget on security. Of the 24 largest federal departments and agencies, five reported spending between 7.3 percent and 17 percent of their total IT budget on security. Another five reported spending just 1 percent to 2 percent of their total IT budget on security. For an overview of federal agencies' fiscal 2002 IT spending, click here.

Beyond increased funding, OMB has included cybersecurity as a key component to successful e-government in its management scorecard, a series of grades in grades in five key categories of management included in the budget.

In addition, OMB has sent letters to department and agency heads about making cybersecurity a management priority and a key responsibility for employees beyond the IT staff. "Security is the responsibility of every employee in the agency," the report stated. "There must be consequences for inadequate performance."

In response to the October 2001 reports, OMB is now requiring agencies to submit plans to correct every cybersecurity weakness reported by the agency, its IG and GAO.

Furthermore, OMB is now requiring all large agencies to conduct a "Project Matrix" review. Project Matrix is a program developed by the White House's Critical Infrastructure Assurance Office to help with governmentwide disaster recovery planning. The program includes a template to help agencies identify their assets that are critical to the nation's economic and physical security and their dependencies on key services such as power and communications.

Post a Comment

To post a comment, you must provide a name and a valid e-mail address. Messages must be limited to 400 words. By using this Service you agree not to post material that is obscene, harassing, defamatory, or otherwise objectionable. Although Government Executive does not monitor comments posted to this site (and has no obligation to), it reserves the right to delete, edit, or move any material that it deems to be in violation of this rule.