What the security act requires

This is an excerpt from the Office of Management and Budget's draft guidanceon what agencies must do to comply with the Government Information SecurityReform Act:

"For non-national security programs, each agency head shall transmitto the OMB director an annual security review that includes:

1. An executive summary of how the agency is implementing the requirementsof the security act, and

2. The annual program reviews and independent evaluations.

The executive summary shall consist of two components, one preparedby the inspector general (IG) characterizing the results of the independentevaluation and the other prepared by the chief information officer (CIO),working with program officials that is based on the results of the annualprogram reviews. These summaries will be the primary basis of OMB's summaryreport to Congress."

OMB calls for the annual program security reviews to be based on 11questions, including the following:

* "Identify the agency's total security funding.... This should includea breakdown of security costs by each major operating division or bureauand include critical infrastructure protection costs that apply to the protectionof government operations and assets.

* Report any material weakness in policies, procedures, or practicesas identified.

* Describe the specific performance measures used by the agency to determineand ensure that agency program officials have:

1. Assessed the risk to operations and assets under their control.

2. Determined the level of security appropriate to protect such operationsand assets.

3. Maintained an up-to-date security plan for each system supportingthe operations and assets under their control that is practiced throughoutthe life cycle.

4. Tested and evaluated security controls and techniques.

* Describe the agency's documented procedures for reporting securityincidents and sharing information regarding common vulnerabilities.

* Provide a strategy to correct security weaknesses identified. Includea plan of action with milestones that include completion dates that:

1. Describes how the agency plans to address any issues/weaknesses.

2. Identifies obstacles to address known weaknesses."

Featured

  • IT Modernization
    Eisenhower Executive Office Building (Image: Wikimedia Commons)

    OMB's user guide to the MGT Act

    The Office of Management and Budget is working on a rules-of-the-road document to cover how agencies can seek and use funds under the MGT Act.

  • global network (Pushish Images/Shutterstock.com)

    As others see us -- a few surprises

    A recent dinner with civil servants from Asia delivered some interesting insights, Steve Kelman writes.

  • FCW Perspectives
    cloud (Singkham/Shutterstock.com)

    A smarter approach to cloud

    Advances in cloud technology are shifting the focus toward choosing the right tool for the job and crafting solutions that truly modernize systems.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.