OMB optimistic about e-gov and cybersecurity progress

The Office of Management and Budget released two reports last week touting the progress agencies have made in e-government and cybersecurity during fiscal 2004.

The congressionally mandated reports citing achievements over the last fiscal year come at a time when members of Congress have issued dismal cybersecurity grades to key agencies and expressed dissatisfaction with development of the various e-gov projects.

OMB pointed to the FirstGov Web site, which provides information and services in both English and Spanish, and Regulations.gov as examples of ways agencies are opening up to the public and encouraging more participation in government.

Nine agencies are planning and managing major IT investments within 10 percent of their projected costs and performance goals, according to the 2004 e-gov report, and the increased use of the Federal Enterprise Architecture is helping clarify the relationship between information and performance management. According to OMB, the 24 e-government initiatives have moved beyond major development milestones and are being used more frequently by citizens, businesses and government agencies.

Karen Evans, OMB's administrator for electronic government, said in a briefing last week that the e-gov initiatives are not losing momentum and the fact that they are becoming part of agencies' daily business is a positive development.

"It's hard to institutionalize this stuff," Evans said. "We've accomplished a majority of the work that we were set out to do."

Evans' goal this year is to establish a standard for measuring the money e-government projects save agencies. Only estimates are available now.

The 2004 Federal Information Security Management Act report, based on agency and inspector general reports submitted in October, concluded that several agencies made "outstanding progress" in risk assessments and testing security controls. While the overall percentages rose from 62 percent in fiscal 2003 to 77 percent in fiscal 2004, the Labor Department advanced from 58 percent in fiscal 2003 to 96 percent in fiscal 2004, and the Transportation Department rose from 33 percent in 2003 to 98 percent in fiscal 2004.

Of the 75 percent of systems with contingency plans, 57 percent of those plans were tested in fiscal 2004, and all agencies have started creating and applying security configuration policies to at least some of their operating systems, according to the FISMA report.

Evans said it is impossible to eliminate all risks in IT security, but contingency plans and assigning systems' responsibility to individuals will minimize damage when cyberattacks occur.

"It's not 'We will never be hacked,'" Evans said. "It's 'We will be hacked and this is our plan.'"

Evans said OMB will continue to push for cybersecurity standardization , but because agencies have vastly different systems, it will be difficult for a "single blanket" to cover all cybersecurity.

Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization, said the computer security report shows that FISMA has achieved its goal of raising the issue of cybersecurity to the senior level.

Security breakthroughs at large agencies like the Environmental Protection Agency and the Justice and Transportation departments show that complex agencies can successfully comply with the statutes, according to Paller.

The most significant progress in FISMA is a section, implemented in August 2004, that requires agencies to enforce minimum security requirements for systems by September 2005, Paller said.

"[This] allows you to walk to the system manager and say, 'Our systems have been getting a 3.5, we should be getting a 6 and this is how much it is going to cost to get there,'" Pallar said. "Now you have some specific and repeatable tasks."