OMB's double-edged security sword
- By Diane Frank
- Mar 12, 2000
The White House's get-tough stance on information security practices this
month has drawn a mixture of satisfaction and concern from agencies.
The Office of Management and Budget issued a memorandum ordering agencies
to explain how they will include security measures in information systems — at the risk of losing funding. Top information technology managers believe
that will help focus attention on the need for more effective security.
But managers also fear the requirement is short on specifics, making
it difficult for agencies to interpret exactly what OMB wants from them.
The OMB memo, issued late last month, outlines six principles and five
guidelines agencies must follow and forces agencies to describe in their
budget requests — starting with fiscal 2002 — how their security plans meet
these requirements. If agencies' explanations do not satisfy OMB, funding
for their information systems will not be included in the president's budget.
"In general, OMB will consider new or continued funding only for those system
investments that satisfy these criteria and will consider funding information
technology investments only upon demonstration that existing agency systems
meet these criteria," the memo states.
For many agency chief information officers, the threat of losing funding
for information systems will better focus IT staffs on security, not only
for individual systems but for agencies' entire information architectures.
At most agencies, the responsibility for IT is dispersed across the agency.
The NASA inspector general last month told the Senate Governmental Affairs
Committee that the lack of central IT responsibility is a severe handicap
to the agency's attempts at securing its systems.
The Energy Department has had similar problems with its national labs, and
last year Secretary Bill Richardson changed the agency's structure to give
CIO John Gilligan control of all IT and security measures. But even with
these changes, it is often difficult to convince the labs to listen, Gilligan
But the OMB memo should give more authority to the CIO, Gilligan said. "I
think OMB is trying hard, and I applaud their efforts," said Gilligan, who
is also co-chairman of the CIO Council's Security, Critical Infrastructure
and Privacy Committee. "This tries to provide a tool for enhancing the focus
Alan Balutis, deputy CIO at the Commerce Department, also said the memo
should give CIOs more power by tying IT so closely to budget decisions.
Still, agencies may have a difficult time determining how OMB will evaluate
their security reports and budget requests.
The guidance in the memo is vague, and CIOs do not want to make a wrong
guess at what OMB is looking for, Gilligan said. "We'll have subsequent
dialogues with OMB where we'll define specific formats and how to comply,"
OMB will likely "evaluate solutions on a case-by-case basis, and these
are the general guidelines," said Elliot Witmer, principle consultant at
Federal Sources Inc.
No matter how OMB evaluates each agency's systems, the new guidelines
will make agencies re-evaluate their own internal processes. "I think it'll
take some changes in thinking.... It may change the timing of how we put
the budget together," said one agency IT official. "Sometimes the budget
is developed so far ahead, there aren't any specifics yet. This will force
agencies to think of those specifics."