Carrying a big stick

The punishment was more than a year in the making. Last February, the Office of Management and Budget warned agencies that it would withhold fiscal 2002 funding for any information technology system that didn't include information security in its architecture. That got agencies' attention — at least, momentarily — but soon other topics, such as the IT pay raise, the race for the presidency and the protracted Florida election results, pushed OMB's threat to the back burner.

That is, until OMB began reviewing agency budgets for 2002. Earlier this month, an OMB official indicated that funding would be halted for some systems under development, as well as some legacy systems, if they lacked sufficient security measures.

For agencies on the security hit list, all is not lost — at least not yet. Those with systems that don't comply have until President Bush submits his detailed budget in April to prove that the designs incorporate the required security safeguards.

But as Bush pushes to take even more government functions online, citizens must believe that their interactions are confidential and secure. That's no easy task, given recent media reports of computer hackers and identity thieves. In order to provide services, state, local and federal governments must gather and store personal information; in return, the public must believe that information is properly protected.

And therein lies the dilemma. Although we believe OMB is justified in tying funding to information security, we also realize that it takes considerable funding to maintain, update and replace existing IT systems. Meanwhile, the agencies still have a mandate to provide services at a time when the public demands online access to government resources.

Just how many agencies and systems are on OMB's security hit list remains to be seen. But once the list is out, OMB needs to do more than cut funding, kill noncompliant systems and send the agencies packing. Officials must also conduct an assessment to determine what it will take to bring those systems into compliance and, if necessary, ask lawmakers for more money.

When it comes to information security, there's no reason to cut fiscal corners.


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.