Not just another report
The governmentwide information security report released last month by the Office of Management and Budget is the first serious effort to bring together the executive and legislative branches to solve the monumental job of securing federal systems, which, admittedly, have as many holes as Swiss cheese.
The report, required by the Government Information Security Reform Act of 2000, was refreshingly honest. Indeed, many federal systems have serious security weaknesses. But that wasn't the big news laid out in the GISRA report. Rather, the report now organizes secu.rity data into a matrix that the White House and Capitol Hill can use to pinpoint problems and work toward a solution.
The report should provide a blueprint for Congress, which, as a whole, has shown that it does not fully understand the shortcomings of federal information security and its consequences. It was just a few years ago, when compiling the Defense Department's fiscal 1999 budget, that the Senate Appropriations Committee nearly zeroed out DOD's $70 million budget to fight information warfare and replaced it with a $500,000 line item for software security research. The budget was later reinstated. Agencies have not been without fault, either. Many are just now putting in place security policies required by the 15-year-old Computer Security Act.
One of security's key problems was that it was one of the first budget items to be cut when agencies faced making financial trade-offs, and agencies have always had to make financial trade-offs. As a result, security has languished, and many did not see the benefit in educating themselves about the problems.
No more. Now Congress and agencies have the data to begin making real progress. OMB has already made security part of the funding process. Agencies must also include security in their performance metrics and as part of enterprise architecture plans. Such intense scru.tiny of security — making it part of the planning process from the beginning — is the only way agencies will begin to secure information systems.