[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Agencies make security improvements


By Diane Frank 
April 10, 2003

The government has made "substantial" progress in information security
since last year, but the same measurements that identify improvement
also highlight that there is a long way to go, testified Mark Forman,
associate director for information technology and e-government at the
Office of Management and Budget, at a House hearing April 8.

The final report to Congress under the Government Information Security
Reform Act (GISRA) of 2000 is in its final draft and will soon be
released. It includes the second year of performance metrics in many
security areas, and the improvement in those areas is significant,
Forman told the House Government Reform Committee's Technology,
Information Policy, Intergovernmental Relations and the Census

Some of those metrics are:

* In fiscal 2001, only 40 percent of federal systems had the required
  up-to-date security plans. In fiscal 2002, that increased to 61

* Only 27 percent of federal systems underwent security certification
  and accreditation in fiscal 2001, compared to 47 percent in fiscal

* The percentage of systems that had gone through risk assessments
  increased from 44 percent in fiscal 2001 to 64 percent in fiscal

But the numbers are still far from where they should be, Forman said.  
This fiscal year, OMB has already set a goal to have 80 percent of
federal systems be certified and accredited. Other goals are even
higher and OMB and Congress must continue to put pressure on agencies
as the government transitions to the Federal Information Security
Management Act of 2002, which permanently reauthorizes GISRA, he said.

"Oversight of progress has been and will continue to be very important
to this," Forman said.

There are some concerns that governmentwide security management is
suffering under the organizational changes made with the Homeland
Security Department's creation, particularly when it comes to
coordination and resources.

But agency IT officials have found that OMB's attention through the
GISRA reports has raised agency executives' awareness, which has in
turn significantly helped the IT officials implement necessary policy
and technology changes.

In the past year, the Commerce Department managed to raise its
security procedures on many of the criteria included in OMB's GISRA
reporting guidance, said Tom Pyke, chief information officer at the

Right now, 96 percent of Commerce's systems have gone through risk
assessments, 90 percent have contingency plans in place, 92 percent
have undergone certification and accreditation, and 98 percent have an
up-to-date security plan, he said.

Commerce has also created a departmentwide database of needed
corrective actions and has already addressed 74 percent of those
issues identified for fiscal 2003, he said.

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.