Agencies close to satisfying cybersecurity law

The White House Office of Management and Budget predicts that the percentage of federal systems complying with a 2004 law requiring agencies to identify cyber risks and develop ways to combat them will be up next year.

Karen Evans, OMB's administrator of e-government and information technology, told a cybersecurity conference Thursday that early numbers based on reports submitted Oct. 1 show that 88 percent of systems will meet certification and accreditation. That is up from 85 percent last year. "That's good, but my goal is 90 percent, and my overall goal is 100 percent," Evans said.

She said the number of systems with tested contingency plans is expected to be 78 percent, compared with 60 percent in 2005.

The guidelines included in the Federal Information Security Management Act require agencies to analyze their applications, assess risk, and identify ways to combat that risk. Evans said those steps alone do not mean systems are secure.

She said it is often more telling when inspectors general assign ratings to see how agencies manage weaknesses, as new vulnerabilities emerge.

Evans said the number of agencies in which inspectors general are identifying remediation is expected to go from 17 in 2005 to 19 this year. She said the numbers released Thursday at the conference organized by the Information Technology Association of America could change when the report is released in March.

Meanwhile, since the theft earlier this year of a laptop computer with personal data about veterans, chief information officers now must report security problems to the Homeland Security Department within an hour of learning of them. "As of Sept. 30, we've had 338 separate instances involving secure information," Evans said.

The computer was stolen from the home of a Veterans Affairs Department employee, but Evans said OMB does not believe it can solve the problem by prohibiting federal employees from taking data out of the office. Instead, agencies need to examine who has access to sensitive data and what is the risk, she said.

Keith Johnson, a vice president of Liquid Machines, agreed saying locking down data altogether hurts productivity. "We need collaboration," Johnson said.

On another front, Evans said agencies have started issuing the new identification cards that will be used for access to federal buildings and databases, as required by a 2004 presidential directive. "Most card-reading systems are not compatible with the cards that have been issued," Evans said in response to a question from a contractor at the conference.

Evans said agencies decide what systems to buy to read the cards. She said some already have card readers, but there is no date set to have them in place. She said it may not make sense for each agency to buy a card reader because there often are several agencies within one federal building, although some may require higher levels of security.