What the security act requires

This is an excerpt from the Office of Management and Budget's draft guidanceon what agencies must do to comply with the Government Information SecurityReform Act:

"For non-national security programs, each agency head shall transmitto the OMB director an annual security review that includes:

1. An executive summary of how the agency is implementing the requirementsof the security act, and

2. The annual program reviews and independent evaluations.

The executive summary shall consist of two components, one preparedby the inspector general (IG) characterizing the results of the independentevaluation and the other prepared by the chief information officer (CIO),working with program officials that is based on the results of the annualprogram reviews. These summaries will be the primary basis of OMB's summaryreport to Congress."

OMB calls for the annual program security reviews to be based on 11questions, including the following:

* "Identify the agency's total security funding.... This should includea breakdown of security costs by each major operating division or bureauand include critical infrastructure protection costs that apply to the protectionof government operations and assets.

* Report any material weakness in policies, procedures, or practicesas identified.

* Describe the specific performance measures used by the agency to determineand ensure that agency program officials have:

1. Assessed the risk to operations and assets under their control.

2. Determined the level of security appropriate to protect such operationsand assets.

3. Maintained an up-to-date security plan for each system supportingthe operations and assets under their control that is practiced throughoutthe life cycle.

4. Tested and evaluated security controls and techniques.

* Describe the agency's documented procedures for reporting securityincidents and sharing information regarding common vulnerabilities.

* Provide a strategy to correct security weaknesses identified. Includea plan of action with milestones that include completion dates that:

1. Describes how the agency plans to address any issues/weaknesses.

2. Identifies obstacles to address known weaknesses."

Featured

  • Image: Shutterstock

    COVID, black swans and gray rhinos

    Steven Kelman suggests we should spend more time planning for the known risks on the horizon.

  • IT Modernization
    businessman dragging old computer monitor (Ollyy/Shutterstock.com)

    Pro-bono technologists look to help cash-strapped states struggling with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help.

Stay Connected