OMB report shows slight increase in IT security awareness

By Daniel Pulliam

March 1, 2007

Agencies are doing a better job measuring how secure their computer systems are, even as the number of systems grows, according to an annual report from the Office of Management and Budget released Thursday.

But the quality of the measurements, known as certification and accreditation, has remained mostly stagnant and even decreased in some areas, the 144-page report stated.

The portion of certified and accredited systems rose from 85 percent in fiscal 2005 to 88 percent in fiscal 2006, the report stated. At the same time, the number of systems climbed from 10,289 to 10,595, a 3 percent increase. In fiscal 2002, only 47 percent of systems were certified and accredited.

The State and Homeland Security departments were most notable in their improvement in the latest report. Thirteen agencies now report that all their systems are certified and accredited.

"Agencies continued to make progress securing government systems this past year, but we still have more to do to secure our information," said Karen Evans, OMB administrator of e-government and information technology. "Our goal is to secure 100 percent of our systems."

The report covered fiscal 2006 -- a period marked by a spike in the number of highly publicized incidents where personal information stored on government computers was vulnerable to fraud or other misuse. A May 2006 breach at the Veterans Affairs Department left sensitive data on more than 26.5 million people at risk, for instance; officials ended up recovering that information.

According to OMB, 15 agencies reported 338 security incidents involving personally identifiable information over the course of the fiscal year. VA confirmed 446 security incidents internally, of which 91 were reported to law enforcement officials. But the VA inspector general found that the quality of the department's certification and accreditation process was poor, the OMB report stated.

Certification and accreditation is a key component of the federal government's computer security law, the 2002 Federal Information Security Management Act. The law requires agencies to determine the level of security needed for particular systems based on the potential implications of a system failure or breach. They need to do this at least once every three years, and authorize the systems' continued use.

The number of agency inspectors general that rated the certification and accreditation process as "satisfactory" or better dropped from 17 in fiscal 2005 to 16 in fiscal 2006. The IGs rating the process as "poor" or failing increased from eight in fiscal 2005 to nine in fiscal 2006.

In fiscal 2006, agency officials tested security controls on 88 percent of all systems, up from 61 percent in fiscal 2005. They also tried out contingency plans for 77 percent of all systems, up from 72 percent in fiscal 2005.

Doubts have been raised as to the effectiveness of FISMA, with critics stating that it is little more than a paperwork exercise. But OMB officials have said the law needs more time before it can be judged.

Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md., said the OMB report is misleading because it does not measure the actual security controls implemented by agencies. He said the FISMA requirements are "extremely wasteful -- to the point of scandalous abuse -- because the money that should be spent on securing systems is being given instead to contractors who write reports that are never read."

Of the 10,595 government systems in fiscal 2006, 1,207 were managed by a contractor or another outside organization, the report stated. A majority of agency IGs -- 18 out of 24 -- found that agency oversight of contractor-operated systems was frequent. The remaining six, however, said oversight was rare.

David Link, chief executive officer and founder of ScienceLogic, a Reston, Va., IT management firm, said he was impressed by how far agencies have come. Agency scores in the report "look pretty good in comparison to their counterparts on the commercial side," he said.

In related news, OMB also released its annual report to Congress on the benefits of e-government Thursday.


By Daniel Pulliam

March 1, 2007

http://www.govexec.com/technology/2007/03/omb-report-shows-slight-increase-in-it-security-awareness/23876/