Featured eBooks
Budget Outlook for Fiscal 2025
AI in the Workplace
Asia-Pacific Outlook
Management

Report stresses management’s role in boosting cybersecurity

The Bush administration has pledged to ensure that cybersecurity is a management priority and will devote extra funding to plug the government’s IT security holes, according to a report released Wednesday by the Office of Management and Budget.

Joshua Dean

|
OMB used the GISRA findings to justify an increase of approximately $1.5 billion in the federal cybersecurity budget. In fiscal 2002, agencies spent $2.7 billion on cybersecurity. According to the , which was released last week, agencies are expected to spend about $4.2 billion on cybersecurity in the next fiscal year. In fiscal 2002, the majority of federal agencies reported spending between 2.1 percent and 5.6 percent of their total IT budget on security. Of the 24 largest federal departments and agencies, five reported spending between 7.3 percent and 17 percent of their total IT budget on security. Another five reported spending just 1 percent to 2 percent of their total IT budget on security. For an overview of federal agencies' fiscal 2002 IT spending, . Beyond increased funding, OMB has included cybersecurity as a key component to successful e-government in its , a series of grades in grades in five key categories of management included in the budget. In addition, OMB has sent letters to department and agency heads about making cybersecurity a management priority and a key responsibility for employees beyond the IT staff. "Security is the responsibility of every employee in the agency," the report stated. "There must be consequences for inadequate performance." In response to the October 2001 reports, OMB is now requiring agencies to submit plans to correct every cybersecurity weakness reported by the agency, its IG and GAO. Furthermore, OMB is now requiring all large agencies to conduct a "Project Matrix" review. Project Matrix is a program developed by the White House's Critical Infrastructure Assurance Office to help with governmentwide disaster recovery planning. The program includes a template to help agencies identify their assets that are critical to the nation's economic and physical security and their dependencies on key services such as power and communications.

Based on a review of agencies' self-reported cybersecurity weaknesses, the Bush administration has pledged to ensure that cybersecurity is a management priority and will devote extra funding to plug the government's IT security holes, according to a report released Wednesday by the Office of Management and Budget. The release of the report ends the first round of reporting under the 2000 Government Information Security and Reform Act, which required program reviews and audits of information security practices by agency inspectors general. The first internal reviews were due to OMB by October 2001. OMB sent its overview of the security gaps reported by agencies to Congress Wednesday. According to the report, agencies have a long way to go in fixing their cybersecurity weaknesses. The report emphasized that security is an "essential management function." Therefore, it said, program officials-not just security officers and chief information officers-are "primarily responsible for ensuring that security is integrated and funded within their programs and tied to program goals." OMB found six main deficiencies in agency cybersecurity efforts, most of which focus on management rather than technology:

  • Senior managers do not currently view cybersecurity as a priority. "[Security] is a management function, which must be embraced by each federal agency and agency head," the report said.
  • Program officials are not being evaluated on how well they integrate security into their systems. "Virtually every agency response regarding performance implies that there has been inadequate accountability for job and program performance related to IT security," the report said.
  • Agencies are doing a poor job of educating their employees about the importance of cybersecurity. "Some agencies and large bureaus reported virtually no security training," the report said.
  • Agencies are still working to integrate security into the budget and planning process. "[Agency] officials must ensure [security] is built into and funded within each system and program through effective capital planning and investment control," the report said.
  • Agencies are not including adequate security requirements in IT contracts. "Given that most federal IT projects are developed and many operated by contractors, IT contracts need to include adequate security requirements," the report said.
  • Security incidents and intrusions are not being detected or reported to interagency security groups. "Far too many agencies have virtually no meaningful system to test or monitor system activity and therefore are unable to detect intrusions, suspected intrusions or virus infections," the report said.
president's fiscal 2003 budgetclick heremanagement scorecard

NEXT STORY: Defense contractor hails IT opportunities in 'new era'