Agencies get new guidance on computer security

The federal Chief Information Officers Council has released new guidance to help agencies better assess their computer security readiness. The framework for evaluating information technology systems--developed by the CIO Council, the Office of Management and Budget and the National Institute of Standards and Technology (NIST)--helps agencies determine the status of their security systems and identify any existing weaknesses. NIST is also working on a self-assessment questionnaire that will be available early next year. In a memo to agency CIOs, Sally Katzen and Jim Flyzik, chair and vice chair of the CIO Council, said the new framework was designed to help agencies comply with security standards in the 1999 Government Information Security Reform Act. The act requires annual agency program reviews and audits by agency inspectors general of information security practices. The General Accounting Office praised the CIO Council for issuing the guidance. "We commend the federal CIO Council for encouraging agencies to routinely evaluate the status of their information security programs and for providing this security assessment framework as a tool for facilitating such efforts," said Joel Willemssen, managing director of information technology issues at GAO in a letter to Katzen
. Katzen and Flyzik advised agencies to give themselves at least six months to perform security assessments in light of the new reporting requirements. This fall, Rep. Stephen Horn, R-Calif., chairman of the House Government Reform Subcommittee for Management, Information and Technology, rated the 24 major federal agencies' computer security systems, giving them an overall grade of "D-." In October, GAO also sharply criticized federal computer security efforts, after it successfully hacked into several agencies' computer systems.