OMB technology official defends new security requirements

GAITHERSBURG, Md. -- A Bush administration official who has dictated the next round of security changes that federal information technology departments must make defended the new rules at a National Institute for Standards and Technology summit here Thursday.

Karen Evans, the e-government chief at the White House Office of Management and Budget said: "What we have today is utter chaos. We're not very secure."

She said the goal of the so-called Security Content Automation Protocol is for the Agriculture Department to use the same IT configuration as the Justice Department, for example, and for federal entities to be able to verify security claims made by vendors.

"If a vendor has chosen not to do this, you are not supposed to buy that software," Evans said. But she said she realized there would be a transition period and there would need to be a way to grant deviations by completing waivers.

Evans said federal information security officers need to know the baselines of current systems and constantly evaluate them so that when new hardware or software arrives, they know whether it works. She said another goal is to force IT departments to methodically ask whether it is necessary to run each software package or whether it is just convenient.

Evans said part of the reason federal computer systems are so vulnerable is that they have "allowed 1,000 flowers to bloom."

"We've drawn a line in the sand," Evans said, adding that if the Defense Department can make changes anyone can.

She denied that the new security requirements are geared toward cutting anyone out of any business or requiring all departments to convert to Microsoft operating systems.

Matt Barrett, a computer scientist at NIST, said there are 135 different configurations in federal IT systems now.

Evans said she has heard the argument that federal agencies would be more vulnerable to security attacks under just one system because everyone, including the bad guys, knows what the configuration is and OMB has been transparent about it. She said that argument and the one that systems would be more secure with one configuration are like "two religious camps."

She said her beliefs tend toward one system because with the chaos she sees in the current system, it is difficult for information security officers to easily know how many Internet access points they have. "Those are the vulnerabilities and the risks that when we're all interconnected we have to know," Evans said.

Evans said some people think mandating one system is an unfunded mandate from OMB and that the minute systems switch to meet the requirements, there will be breakdowns. She acknowledged both points.

But she further argued that because citizens have to give federal agencies lots of personal information, "we owe it to them" to get a better handle on security vulnerabilities.

She also offered an incentive, saying that departments will be able to keep any cost savings from greater efficiency to put into other programs like security or tracking the use of personally identifiable information.