The Clinton administration has said enough is enough. Last week, in memos issued by President Clinton and the Office of Management and Budget, the administration indicated that it plans to get tough with federal agencies that do not make information systems security a top priority.
The Clinton administration has said enough is enough. Last week, in memos
issued by President Clinton and the Office of Management and Budget, the
administration indicated that it plans to get tough with federal agencies
that do not make information systems security a top priority.
Starting with the fiscal 2002 budget, agencies that have not adequately
incorporated security measures into new or existing information systems
will not receive funding for those systems. In addition, starting in fiscal
2002, agencies will be allowed to purchase only commercial information security
products that have been evaluated by accredited national laboratories and
that meet international assurance standards.
OMB Director Jacob Lew last week released a memo detailing the information
security measures agencies must put in place if those systems are to be
considered for funding. Agencies, which have just begun to formulate fiscal
2002 budgets, must report in their fiscal 2002 budget requests how they
are complying with the guidance.
The memo specifically directs agencies to ensure that security and privacy
protections are an essential element of all new and existing information
systems. It also directs system managers to make sure the protections are
commensurate with the threat, do not impede an agency's ability to carry
out its mission, work in conjunction with a defined agency security strategy
and support existing agency information architectures.
"In general, OMB will consider new or continued funding only for those
system investments that satisfy these criteria and will consider funding
information technology investments only upon demonstration that existing
agency systems meet these criteria," the memo states.
The five "suggestions" provide much more specific guidelines than what
agencies worked from in the past. For years, agencies, using the Computer
Security Act and OMB Circular A-130, have decided on the security measures
for their systems.
That approach is not working, said Sen. Fred Thompson (R-Tenn.), chairman
of the Senate Governmental Affairs Committee, at a hearing last week. The
General Accounting Office has performed many agency security audits during
the past three years and consistently found the same weaknesses. But agencies
have done little to tighten information security beyond the specific problems
detailed in the reports, Thompson said.
"It's really outrageous that the federal government, in an area of this
sensitivity, cannot do more, faster," he said.
President Clinton last week issued a memo directing White House chief
of staff John Podesta to coordinate a governmentwide review of computer
system and network vulnerabilities and deliver a report on the review's
findings by April 1.
The fact that Podesta has been put in charge of the review and that
he will report the results directly to the president indicates how information
security has risen to the top of Clinton's agenda, a White House official
The memo also directs agency heads to work more closely with the Federal
Computer Incident Response Capability and the National Infrastructure Protection
Center to protect their computer systems against cyberthreats such as the
denial-of-service attacks that shut down Yahoo, eBay and other Internet
commerce sites last month.
"Remember that as you build your security budgets, your information
security budget is a key part of that," the White House official said.
"Clearly, the president's memo [and] the OMB memo refer to the fact
that people in government are getting more serious [about security]," said
Harris Miller, president of the Information Technology Association of America.
NEXT STORY: Political conventions get wired, too