The starting point

OMB's security report could set the stage for long-awaited fixes

Scrutiny of information security at federal agencies was certain to be discouraging, and it was. But it's like going to the dentist with a toothache. You know the news will not be good, but identifying a problem is the first step toward solving it.

So when the Office of Management and Budget compiled a fairly damning report based on assessments performed by the chief information officers and inspectors general at 24 agencies and delivered it to Congress Feb. 13, security experts saw it as a good thing.

The report, required under the Government Information Security Reform Act (GISRA) of 2000, marks the first cross-agency study of security practices in the federal government. The bad news — described in terms of six common weaknesses across agencies — was not especially surprising.

But what has been lacking is the agency-by-agency, system-by-system study this report provides. OMB's methodical approach to diagnosing the problem has given the Bush administration the information it needs to determine the cure.

In preparation for the study, OMB provided CIOs and IGs with guidelines on what to report and how to report it. Those guidelines ensured that OMB, agency officials and Congress would be able to compare, contrast and compile a report on the state of security at agencies.

"We've known the problems for some time, but this is the first time we saw it in one document, drawn together," said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration. McDonald's office is the lead for many of the governmentwide security programs used by agencies.

That broad assessment was, in fact, one of the reasons for writing the law.

"While some of the reports weren't that good, and some of the agencies aren't where we want them to be, at least the law forced [agencies] to identify what the problems are, and at least they are at the point where they know what they need to be doing," said a senior aide on the Senate Governmental Affairs Committee. Sen. Joe Lieberman (D-Conn.) and Sen. Fred Thompson (R-Tenn.), chairman and ranking member on the committee respectively, co-authored GISRA in 1999.

The report also provides an important blueprint for improving security across government — and even highlights a few agencies that get security right — but such improvements would not be possible without a baseline to measure progress, and that's what the report provides, observers say.

As agencies move forward with their corrective action plans and as OMB leads the governmentwide corrective efforts, officials and Congress can measure whether those actions are in fact doing any good, McDonald said.

"We can only improve from here," she said.

Unvarnished Truth

A baseline is only useful if it is accurate. Because the report relied on agency self-assessments, some observers feared that agencies would either cover up weaknesses or soft-pedal the bad news. But the reports OMB received were often blunt descriptions of the problems within programs.

"Some of the reports from the CIOs were quite candid and revealed problems that one might expect to come only from an [inspector general]," the report states.

The Agriculture Department, for example, admits that although officials recognize the need for precise security performance measures, they have not yet published any such policy or guidance. And the Defense Department provided a detailed explanation of how its "cumbersome IT management processes and outdated IT policies" undermine its IT security program.

OMB managed to elicit such honest conclusions from self-assessments by building a "double check" into the process, McDonald said. Agency IGs were asked to assess the same areas as the CIOs. It would look bad if one report included a weakness the other did not, she said.

OMB also made it clear that the GISRA reports would be included in the fiscal 2003 budget requests, taking that extra step to ensure that security was considered part of the larger program management issue, said Kamela White, an OMB policy analyst.

The truth, of course, does hurt sometimes.

GISRA is not the first law to require agencies to beef up security. Many departments are just now putting in place plans to address requirements dating back to the Computer Security Act of 1987. Even though GISRA was developed to address continuing weaknesses, it is still disturbing that agencies are only now beginning to address those old requirements, White said.

At the Commerce Department, for example, "despite a history of weaknesses in their security program and security for individual systems, the department appears to still be in the mode of developing security plans," the OMB report states. "While planning is essential, this has been an explicit statutory requirement since the enactment of the Computer Security Act of 1987, and by now, the department should be executing reliable and established processes."

Weaknesses in security training were the most commonly cited problems when it came to complying with the Computer Security Act.

Some agencies, including the Education Department, have recently established training programs. Education reported that 98 percent of its general staff had received awareness training, but could not report on what specialized training its program staff received.

Others, such as the Department of Health and Human Services, could only report that "most of their agencies 'provide some sort of security training,'" according to the OMB report. HHS did report that it has awarded a departmentwide contract to provide security awareness training to all of its employees by July 2002.

What Works

The news was not all bad, though. For each of the six areas of weakness, OMB also identified agencies that that are beginning to address the problems.

When it comes to integrating security into capital planning for information technology, for example, the Labor Department has one of the best programs, according to OMB.

Much of this can be attributed to Labor's overall focus on IT planning, said Laura Callahan, the department's deputy CIO and director of its IT Center. Department officials bring together the IT requirements from across all of its agencies to obtain better deals from vendors and control over investments, Callahan said.

This was not an easy program to put in place, because agencies never like giving up control, much less money, to the department level, Callahan admitted. But last year the department started pulling together common IT requirements, including security, and asking for money from relevant agencies with the promise that the return would be much greater, she said.

For example, an agency that was going to spend $10 million on its own intrusion-detection system could contribute $6 million toward buying a departmentwide system, use the extra $4 million for other security concerns and still get the system they needed in the first place.

The program has been so successful that more Labor agencies want to get involved and are being turned away because they do not fit into the requirement profiles the department has developed, Callahan said.

The GISRA assessments and reports also have become an important management tool at Labor, Callahan said. "It helped us understand where we needed to focus our resources, and then we could prioritize our investments effectively."

Callahan's staff looked at the assessments and identified three areas to focus on: contingency planning, certification and accreditation, and enterprise training and awareness. The system-specific security weaknesses found in the assessments are being dealt with at the program level, Callahan said.

"Really looking at [GISRA] from a high level it's been a wonderful management tool, and it goes down to an operational level because it sets out the goals and milestones for addressing each of the system weaknesses," she said.

Some departments are trying other methods for increasing their central security control. For fiscal 2002, HHS created an IT Security and Innovation Fund and received more than $20 million from Congress for it.

The fund will allow the department to develop enterprise solutions on its own, instead of relying on the dubious generosity of its agencies and components, said Brian Burns, deputy CIO at HHS.

"This will help us to focus on key areas and focus the enterprise funding now available at the department level to move forward quickly," he said.

It will also ensure that the smaller agencies — those that normally wouldn't have the money for their own solutions or to contribute to a departmentwide solution — can get involved, Burns said.

OMB also highlighted the database the Justice Department developed to track and remedy security weaknesses on a system-by-system basis. That database includes security information on all of the problems found during system certification and accreditation, IG audits, department hacking tests and other reviews.

The Way Forward

The OMB report, then, essentially put down two markers: The first one establishes a beginning point, the other a destination. The question now becomes, how do we get from here to there?

Just identifying a destination is a start. The successful programs uncovered by the GISRA report are not just exceptions to the rule, but models for how to move forward, government officials believe.

The administration is likely to develop governmentwide policies using the successful programs as "best practices." OMB also might use the programs as the basis of recommendations put forward through the Critical Infrastructure Protection Board's new committee on executive branch information systems security, which OMB heads.

OMB already is making security planning a part of the budgeting process. Officials required agencies to report on secu.rity spending for each system budgeted, beginning in fiscal 2002, and it was the topic of much discussion between the agencies and OMB during the budget development process last year, officials said.

It's difficult at this point to see the impact of these discussions on security practices. On the one hand, security spending is on the rise, from $2.7 billion out of almost $48 billion for IT in fiscal 2002 to a request for $4.2 billion out of $52 billion for fiscal 2003.

But as Mark Forman, OMB's associate director for IT and e-government, has pointed out, the administration has found no apparent link between high percentages of security funding and high levels of security performance.

Still, this year's budget discussions showed that agencies are giving more thought to security as part of system development, White said. "Reporting costs demonstrates that security has been integrated into the overall life cycle planning for that system, that the agency has gone and identified the necessary security controls to protect that system," she said. "It's not a metric for good security performance, it's a metric for good security management."

Many of OMB's other plans for expanding governmentwide training programs and developing recommendations for performance measures have just begun and will be a major part of the first meeting of the Critical Infrastructure Protection Board's committee in the coming weeks, according to Forman.

The board, composed of deputy secretaries or their designees, will be a major force for integrating governmentwide actions into each agency's IT management program, McDonald said. But its biggest role may be to help explain within the agencies what is going on, she said.

"We can only chastise so much, and then we've got to educate," she said. "Laws are fine, but not everyone stops for a red light. It's education and getting people to understand why the law was put in place, how it benefits them to have everyone follow it. That is the important part."

OMB is evaluating agencies' progress with their own corrective action plans on a quarterly basis, measuring agencies against each goal outlined in their plans. Officials completed the first evaluation at the end of January, and the next is due at the end of April. Those evaluations will be included in the e-government management evaluations conducted as part of the President's Management Agenda score card, Forman said.

The score card grades agencies' performance on the five agenda items: strategic workforce management, expanded use of e-government, increased competitive bidding of government services, improved financial performance and linking performance to budgets.

This consistent focus on a single management methodology — which includes refocusing senior managers' attention, performance metrics and, particularly, enterprise architecture — is an important one because it moves the agencies toward a more long-term solution by making security part of their management process, McDonald said.

Without that, agencies will be no better off in the next report than they are now because new problems will have cropped up even though the old ones may be fixed, she said.

"You can't just stick on a Band-Aid. You've got to get into the heart of things, and for that, architecture is key," she said.

Congress will also be watching those management score cards, even though GISRA does not require OMB to brief Congress on the quarterly reports, the Senate Governmental Affairs Committee aide said. As members make their way through the OMB report, agencies can expect to be called to hearings and to attend briefings with staff on Capitol Hill, according to the aide.

"I think that together we would look at agencies that did not have good performance and give them time to put in place some of their fixes, and then come back to them and see how they are doing," the aide said.

***

Every solution begins with a question

OMB guidelines instructed federal agencies to report on the following:

* Security spending.

* Number of programs reviewed (the Government Information Security Reform Act of 2000 required that program officials and chief information officers review all programs and systems).

* Methodology used in the review.

* Whether they found material weaknesses reportable under other laws (e.g., the Chief Financial Officers Act of 1990 and the Federal Managers Financial Integrity Act of 1982).

* How they measure the performance of agency officials in fulfilling their security responsibilities.

* The effectiveness of training programs.

* How they detect and report vulnerabilities.

* How they integrate security and capital planning.

* How they prioritize and protect critical assets.

* How they ensure security plans are implemented.

* How they integrate all security programs.

* How they ensure that contractors are adhering to the agency's security practices.

NEXT STORY: Letter to the editor

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.