No security, no OMB money

Starting with the fiscal 2002 budget, the Office of Management and Budget

will not pay for systems that have not adequately incorporated security

measures into their information systems.

In a Feb. 28 memorandum to agency heads, OMB Director Jacob Lew outlined

five principles to compel agencies to consider computer security and critical

infrastructure protection programs as they build systems.

Under the new policy, security must:

* Be tied to agencies' information architectures.

* Be well-planned by demonstrating that costs are included in life-cycle

planning systems.

* Manage risks by demonstrating that specific methods and controls are

in place.

* Protect privacy and confidentiality by using security controls and

authentication tools for public access that adheres to government and agency

policies.

* Account for departures from security guidance from the National Institute

of Standards and Technology, the agency designated as the lead for non-national

security applications.

"In general, OMB will consider new or continued funding only for those

system investments that satisfy these criteria and will consider funding

information technology investments only upon demonstration that existing

agency systems meet these criteria," the memo states.

Featured

  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/Shutterstock.com)

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected