OMB unveils security guidance

OMB guidance on implementing the Government Information Security ReformAct

The Office of Management and Budget last week recommended steps that agencies should take to ensure the security of federal information systems as required by recent legislation. The guidance on implementing the Government Information Security Reform Act, enacted in October as part of the 2001 Defense Authorization Act, comes as agencies prepare for the first round of annual reviews and reports on their security practices mandated under the legislation.

The act requires agency program managers and chief information officers to join to develop an agencywide security program. The OMB guidance helps differentiate between the responsibilities at each management level.

Beyond basic management principles, the act requires an annual self-assessment of every program's security measures. With its guidance, OMB recommends the use of the CIO Council's Federal Information Technology Security Assessment Framework, released late in 2000, to promote consistency in the reviews.

The security act also requires each agency's inspector general to conduct a security review. The results of both reviews will be submitted to OMB in September with agencies' budget requests. To avoid duplication of effort and ensure consistency, CIOs and program managers should coordinate with IG offices for the reviews, according to the guidance.

This mutual understanding of the expectations is key, said John Gilligan, co-chairman of the CIO Council security committee. Auditors start with different expectations for what is "adequate." But a CIO Council guide released last week on examples of how to secure electronic-government programs "should help in establishing a more common frame of expectations," he said.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.