Further security guidance given

"Guidance for Preparing and Submitting Security Plans of Action and Milestones"

The Office of Management and Budget last week released additional guidance on how agencies must comply with a new law that pulls all of the federal information security mandates together and calls for reports that the administration and Congress will review.

Under the Government Information Security Reform Act of 2000, agencies must undergo annual self-assessments and independent assessments of their security practices and policies. Agencies sent OMB the first set of reports on the results in September.

By Oct. 31, agencies must turn in plans of action and milestones on how they plan to fix the weaknesses found in those assessments and indicate the resources and timeframe for those corrections. The new OMB guidance provides detailed instructions on what information must be included in the reports, the format, how they will be tied to the budget process, and what to include in the quarterly updates to follow. The first update is due Jan. 31, 2002.

The plans must either be consolidated with or accompanied by other agency plans to correct security weaknesses found in other reviews, providing a better view for agency heads, OMB and Congress.

"A consolidated [plan] provides a road map for continuous agency security improvement, assists with prioritizing corrective action and resource allocation, and is a valuable management and oversight tool," according to the guidance.

The guidance is based on questions provided by agencies after OMB released its instructions for the assessment reports in June. It is presented in a question and answer format, with a sample plan that outlines the eight categories of information agencies must provide:

* The type of weakness.

* The responsible office or organization.

* Estimated funding and resources required.

* The scheduled final completion date.

* Key milestones and completion dates.

* Milestone changes.

* The review that found the weakness.

* The plan's status (ongoing or completed).

Agencies should turn over the initial plan to OMB on a diskette as a Microsoft Corp. Excel worksheet. OMB is not requiring a specific format for the status updates.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.