No security, no OMB money
- By Diane Frank
- Mar 05, 2000
Starting with the fiscal 2002 budget, the Office of Management and Budget
will not pay for systems that have not adequately incorporated security
measures into their information systems.
In a Feb. 28 memorandum to agency heads, OMB Director Jacob Lew outlined
five principles to compel agencies to consider computer security and critical
infrastructure protection programs as they build systems.
Under the new policy, security must:
* Be tied to agencies' information architectures.
* Be well-planned by demonstrating that costs are included in life-cycle
planning systems.
* Manage risks by demonstrating that specific methods and controls are
in place.
* Protect privacy and confidentiality by using security controls and
authentication tools for public access that adheres to government and agency
policies.
* Account for departures from security guidance from the National Institute
of Standards and Technology, the agency designated as the lead for non-national
security applications.
"In general, OMB will consider new or continued funding only for those
system investments that satisfy these criteria and will consider funding
information technology investments only upon demonstration that existing
agency systems meet these criteria," the memo states.