OMB orders agencies to report on computer security
According to updated guidelines released last week by the Office of Management and Budget, federal departments and agencies will have to take additional steps to verify the security of their computers' systems by providing quarterly, detailed information on strategies and progress to repair diagnosed security flaws.
Under a 2000 information-security law, federal agencies are required to conduct security assessments of their computer and information systems and offer "corrective plans" for flaws or vulnerabilities.
Within those plans, federal chief information officers must list security vulnerabilities discovered by independent analysis, for example, reviews conducted by the General Accounting Office. The agency's inspectors general must verify those plans, according to the document.
OMB also has asked federal agencies to provide a detailed description of their implementation processes for corrective plans and ways to track their progress. Agency CIOs must report their progress on a quarterly basis, as well as changes in the status of security assessments.
For example, the organization must list the total number of security weaknesses identified in programs and information systems, the number of repaired flaws and the number of new weaknesses detected in each quarter. The first round of report summaries is due to OMB in September.
"[The 2000 Government Information Security Reform Act] is one of the key pieces for cybersecurity," said Dan Burton, vice president of government affairs at Internet security firm Entrust. "It's often viewed as technical or administrative ... but it's what is driving integrity" in federal agency computer and information security.
The law is set to sunset in October 2002, but several lawmakers on Capitol Hill have been pushing measures to extend and even permanently enact it.
The Senate has passed a measure to boost electronic government initiatives that includes a provision that would extend the life of the security reform act. In the House, members of the Government Reform committee likely will approve legislation to create a Homeland Security Department which includes language sought by Virginia Republican Tom Davis to enhance cybersecurity in agencies.
The White House Cybersecurity Office support efforts to extend the 2000 information security law, according to a White House official, but the administration is not specifically asking for an extension of the law as part of its national cybersecurity strategy or within Homeland Security Department legislation.
Officials aim to release the cyber-security strategy around Sept. 19, according to the official. The office has worked with OMB to enhance security practices and advised the agency in releasing the updated reporting guidelines.
OMB did not return repeated calls for comment.