OMB: Agency compliance with cybersecurity law improving

Agencies improved slightly in fiscal 2005 at meeting computer security standards, according to a report released Wednesday by the Office of Management and Budget.

The percentage of agency information technology systems certified and accredited rose from 77 percent in fiscal 2004 to 85 percent in 2005, just short of an administration goal of 90 percent, OMB stated. Furthermore, the number of systems with tested contingency plans increased from 57 percent to 61 percent over that same period, the report to Congress on the implementation of the 2002 Federal Information Security Management Act found.

The number of agency IT systems also grew in that time, rising 19 percent from 8,623 to 10,289. Contractors or other non-government organizations manage 1,105 of those systems on behalf of the government.

The Defense Department, which houses 3,583 IT systems, went from 58 percent of systems certified and accredited to 82 percent, though the Pentagon inspector general gave the department a "poor" certification and accreditation rating in the OMB report.

The Veterans Affairs Department, which reported 14 percent of its systems as certified and accredited in fiscal 2004, reported that all 585 of its systems were certified and accredited the next year.

None of the inspectors general rated the certification and accreditation process as failing, but eight rated it as "poor." Four agency inspectors general rated it as "good," while the Social Security Administration IG was the only one to rate it as "excellent."

Included in the report were goals needed to maintain a "green" status -- the highest available grade -- in e-government on the Bush administration's quarterly management score card. They involved certifying and accrediting all IT systems by July 1, installing and maintaining all systems with proper security configurations and including continuity of operations provisions in the agency's infrastructure.

In fiscal 2005, agencies for the first time assigned risk levels to IT systems, with 1,646 categorized as "high impact" and another 2,497 as "moderate impact," the OMB report noted. Eighty-eight percent of those rated as "high impact" were certified and accredited, it said.

Richard Tracy, chief technology and security officer of the Telos Corp., an IT contractor, said he was pleased to see that agencies were not "picking the low hanging fruit" by certifying and accrediting the low-impact systems in order to improve their cybersecurity scores.

He said agencies are spending significant resources on the certification and accreditation process in order to improve the grades, but added that he would be curious to know whether they'll be able to continue monitoring the systems once FISMA compliance is reached.

OMB highlighted the oversight of contractor systems as a reason for "strategic and continued management attention" and asked agency inspectors general to confirm that systems operated by contractors meet FISMA requirements.

Inspectors general for the Pentagon and the Homeland Security and State departments told OMB their agencies "rarely" conduct oversight of contractor-operated IT systems. Inspectors for NASA and the Agriculture and Health and Human Services departments said their agencies "sometimes" oversee IT systems operated by contractors.

Another area for concern according to OMB is the number of systems with tested security controls, which dropped from 76 percent in fiscal 2004 to 72 percent in fiscal 2005.

Agencies' handling of incident reporting drew concern from OMB as well, with DHS finding "sporadic reporting by some agencies and unusually low levels of reporting by others."

"Less than full reporting hampers the government's ability to know whether an incident is isolated at one agency or is part of a larger event," the OMB report stated.

Agencies' process for planning, implementing and evaluating deficient IT security policies -- known as POA&M -- drew concern because of ineffective processes at the Defense, Agriculture, DHS and the Interior, Transportation and Treasury departments.

House Government Reform Committee staffers still are reviewing the report, according to Drew Crockett, spokesman for the panel's chairman, Rep. Tom Davis, R-Va.

The committee is scheduled to release its annual cybersecurity grades and discuss the OMB report at a March 16 hearing with Karen Evans, administrator of OMB's Office of Electronic Government and Information Technology, testifying, Crockett said in a statement.