Carrying a big stick
The punishment was more than a year in the making. Last February, the Office of Management and Budget warned agencies that it would withhold fiscal 2002 funding for any information technology system that didn't include information security in its architecture. That got agencies' attention — at least, momentarily — but soon other topics, such as the IT pay raise, the race for the presidency and the protracted Florida election results, pushed OMB's threat to the back burner.
That is, until OMB began reviewing agency budgets for 2002. Earlier this month, an OMB official indicated that funding would be halted for some systems under development, as well as some legacy systems, if they lacked sufficient security measures.
For agencies on the security hit list, all is not lost — at least not yet. Those with systems that don't comply have until President Bush submits his detailed budget in April to prove that the designs incorporate the required security safeguards.
But as Bush pushes to take even more government functions online, citizens must believe that their interactions are confidential and secure. That's no easy task, given recent media reports of computer hackers and identity thieves. In order to provide services, state, local and federal governments must gather and store personal information; in return, the public must believe that information is properly protected.
And therein lies the dilemma. Although we believe OMB is justified in tying funding to information security, we also realize that it takes considerable funding to maintain, update and replace existing IT systems. Meanwhile, the agencies still have a mandate to provide services at a time when the public demands online access to government resources.
Just how many agencies and systems are on OMB's security hit list remains to be seen. But once the list is out, OMB needs to do more than cut funding, kill noncompliant systems and send the agencies packing. Officials must also conduct an assessment to determine what it will take to bring those systems into compliance and, if necessary, ask lawmakers for more money.
When it comes to information security, there's no reason to cut fiscal corners.