Agencies show security progress

Fiscal 2002 GISRA report

In the fiscal 2002 report on their information security status and practices, agencies for the first time showed measurable progress on governmentwide security needs and agency-by-agency efforts.

Overall, agencies made progress on the significant problem areas identified by the Office of Management and Budget in fiscal 2001, such as a lack of performance measures and the inability to integrate security measures into the capital planning process. However, agencies still have a long way to go, according to the report, dated May 16 and released late last week.

For example, the number of systems with an up-to-date security plan rose from 40 percent in fiscal 2001 to 62 percent in fiscal 2002. That is a big jump, but it is still quite a way from the 100 percent requirement.

This is the last report under the Government Information Security Reform Act of 2000. From now on, agency security efforts will be outlined as part of GISRA's follow-on legislation, the Federal Information Security Management Act of 2002, which passed as part of the E-Government Act.

Both GISRA and FISMA require agencies to submit annual security evaluations to the Office of Management and Budget, and for OMB to submit a summary report to Congress.

The fiscal 2001 evaluations provided a baseline by determining the current state of agency's security practices, problems and solutions. In the fiscal 2002 report, OMB highlighted the changes, including the significant improvements agencies are making towards governmentwide goals and the distance agencies still have to go to actually meet the goals.

In the fiscal 2002 guidance, OMB set out detailed governmentwide performance measures, including the number of systems that have been through a risk assessment, the number of systems with security control costs integrated into their lifecycle costs, and the number of systems with a contingency plan.

An automated self-assessment tool developed by the National Institute of Standards and Technology played "an important role" in helping agencies through the collection of these and other metrics, according to the report.

The reports also revealed several new governmentwide challenges:

* Many agencies are finding the same security weaknesses every year.

* Some chief information officers and inspectors general have different views in their separate evaluations of an agency's security.

* Many agencies are not prioritizing security for existing systems before seeking funding for new systems.

* Not all agencies are reviewing all of their systems, despite the law's requirement that they do so.

* Agencies are still not incorporating security responsibility and accountability into every position across the agency.

OMB already has measures in place to address many of these problems, including working the changes into agencies' processes through the budget.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.