What the security act requires

This is an excerpt from the Office of Management and Budget's draft guidanceon what agencies must do to comply with the Government Information SecurityReform Act:

"For non-national security programs, each agency head shall transmitto the OMB director an annual security review that includes:

1. An executive summary of how the agency is implementing the requirementsof the security act, and

2. The annual program reviews and independent evaluations.

The executive summary shall consist of two components, one preparedby the inspector general (IG) characterizing the results of the independentevaluation and the other prepared by the chief information officer (CIO),working with program officials that is based on the results of the annualprogram reviews. These summaries will be the primary basis of OMB's summaryreport to Congress."

OMB calls for the annual program security reviews to be based on 11questions, including the following:

* "Identify the agency's total security funding.... This should includea breakdown of security costs by each major operating division or bureauand include critical infrastructure protection costs that apply to the protectionof government operations and assets.

* Report any material weakness in policies, procedures, or practicesas identified.

* Describe the specific performance measures used by the agency to determineand ensure that agency program officials have:

1. Assessed the risk to operations and assets under their control.

2. Determined the level of security appropriate to protect such operationsand assets.

3. Maintained an up-to-date security plan for each system supportingthe operations and assets under their control that is practiced throughoutthe life cycle.

4. Tested and evaluated security controls and techniques.

* Describe the agency's documented procedures for reporting securityincidents and sharing information regarding common vulnerabilities.

* Provide a strategy to correct security weaknesses identified. Includea plan of action with milestones that include completion dates that:

1. Describes how the agency plans to address any issues/weaknesses.

2. Identifies obstacles to address known weaknesses."

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected