Council framing agencies' security picture
- By Diane Frank
- Nov 16, 2000
CIO Council's Security, Privacy and Critical Infrastructure ProtectionCommittee
With the availability of a tool to help agencies assess the adequacy of
their security programs, the federal CIO Council is asking the administration
to encourage agencies to reach a common baseline by next summer.
The council's Security Subcommittee is close to releasing its Federal
Information Security Assessment Framework. The methodology is designed to
help agencies measure their programs on five levels and then develop plans
to improve their security.
The framework has undergone several drafts, and the first version should
be released before the end of the month.
The council is asking the Office of Management and Budget to recommend
that agencies use the framework to complete an initial security assessment
by March 2001 and reach the framework's second level by summer, said John
Gilligan, co-chairman of the council's Security, Privacy and Critical Infrastructure
The framework was intended to help Congress, especially Rep. Stephen
Horn (R-Calif.), grade agencies' security programs. But Horn proceeded with
the grades — the government received a D-minus overall — and now agencies
can use the framework as a guide while OMB tries to improve federal security,
The next version of the framework will include a checklist being developed
by the National Institute of Standards and Technology. The checklist will
identify criteria that agencies need to meet to comply with the level designations,
said Brian Burns, deputy CIO at the Department of Health and Human Services
and chairman of the council's security framework working group.