Security weaknesses abound

The first-ever system-by-system analysis of information security at federal agencies showed that familiar vulnerabilities still exist across government, according to a Feb. 13 Office of Management and Budget report to Congress, but long-term fixes for the problems are under way.

The report is based on agency self-assessments sent to OMB last October, as required by the Government In.formation Security Reform Act (GISRA) of 2000. The law also requires OMB to report on the results to Congress.

"The evaluation and reporting requirements of [GISRA] have given OMB and federal agencies an opportunity to record a baseline of agency [information technology] security performance that we have not previously had to this degree of detail," said Mark Forman, OMB's associate director for IT and e-government.

This is the first time agencies have drilled down to the level of individual systems in their assessments of security.

These details, when used with the corrective action plans submitted shortly after the reports last fall, enable agency officials and OMB to identify specific security improvement measures for agencies' fiscal 2003 budget requests and to make better decisions on how to spend remaining fiscal 2002 funding, Forman said.

In fiscal 2002, agencies plan to spend more than $2.7 billion on security — almost 5.7 percent of a total IT investment of almost $48 billion. The fiscal 2003 request for $4.2 billion for security out of $52 billion raises that percentage to almost 8.1 percent.

The OMB analysis, however, uncovered no evidence that the percentage of money spent on security in any way affected the level of security performance, Forman said.

The attention from the Bush administration and agency managers is having an impact, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Ad.ministration. Just a few months ago, most federal employees did not know GISRA existed, but "people know what GISRA is now," she said.

The security weaknesses identified in the report fell into six categories, including inadequate performance measures, few security education and awareness programs, and virtually no meaningful systems to detect, report and share incident information.

However, the self-assessments reveal pockets of excellence, such as the Labor and Housing and Urban Development departments' well-developed programs to integrate security into their IT capital planning process, according to the report.

OMB is working with agencies to extend these and other initiatives to fix the weak security practices.


  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.