No security, no OMB money

Starting with the fiscal 2002 budget, the Office of Management and Budget

will not pay for systems that have not adequately incorporated security

measures into their information systems.

In a Feb. 28 memorandum to agency heads, OMB Director Jacob Lew outlined

five principles to compel agencies to consider computer security and critical

infrastructure protection programs as they build systems.

Under the new policy, security must:

* Be tied to agencies' information architectures.

* Be well-planned by demonstrating that costs are included in life-cycle

planning systems.

* Manage risks by demonstrating that specific methods and controls are

in place.

* Protect privacy and confidentiality by using security controls and

authentication tools for public access that adheres to government and agency

policies.

* Account for departures from security guidance from the National Institute

of Standards and Technology, the agency designated as the lead for non-national

security applications.

"In general, OMB will consider new or continued funding only for those

system investments that satisfy these criteria and will consider funding

information technology investments only upon demonstration that existing

agency systems meet these criteria," the memo states.

Featured

  • Image: Shutterstock

    COVID, black swans and gray rhinos

    Steven Kelman suggests we should spend more time planning for the known risks on the horizon.

  • IT Modernization
    businessman dragging old computer monitor (Ollyy/Shutterstock.com)

    Pro-bono technologists look to help cash-strapped states struggling with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help.

Stay Connected