OMB tweaks info security rules

The official rulebook on federal information security will contain a few surprises for agency officials when the Office of Management and Budget releases its finished guidelines for 2004. However, each of the changes fixes things that lawmakers and agency officials have said needed revision.

Lawmakers got a preview of some of those changes this week from Karen Evans, administrator for electronic government and information technology at OMB. Among the changes, she said, will be a new requirement for agencies to list their operating system configuration standards in a report that goes to OMB and Congress.

At several congressional hearings on cybersecurity, Rep. Adam Putnam (R-Fla.) has expressed astonishment that only five out of 24 federal agencies have an accurate count of their information systems, as revealed in OMB's latest Congressional report on the Federal Information Security Management Act.

Putnam chairs the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee. His subcommittee asked Evans and other federal and industry officials to testify June 2 at a hearing on the growing threat of network vulnerabilities.

Evans told lawmakers the revised guidelines will require agency officials and each agency inspector general to vouch that systems are configured to the minimum-security standards they cite in their FISMA reports. Last year, OMB officials sought information about configuration standards but didn't go far enough, Evans said.

For federal agencies to develop and maintain secure configurations is no trivial task, she added. But some help could be forthcoming from the National Institute of Standards and Technology. Money permitting, NIST plans to set up a Web-based portal to publicize secure hardware and software configurations for systems that are now or likely to become widely used in the federal government, Evans said.

Evans also said OMB's new FISMA guidelines will demand more information from agencies about their procedures for patching security holes in their systems and about the use of security measures such as vulnerability scans and penetration tests.

In another change this year, agency inspectors general and agency officials will have to update their agency's inventory of hardware and software assets at least once a year, Evans said. And they will be asked to compare numbers and to report any disagreement on how many systems the agency actually has.

In other testimony, the subcommittee heard from Amit Yoran, director of the Homeland Security Department's National Cyber Security Division. Yoran said DHS is formalizing its relationships with federal, state and local government agencies, academic institutions, industry groups and businesses through a new effort called the United States Computer Emergency Readiness Team (US-CERT) Partner Program.

Through the program, which he said will begin this summer, DHS officials plan to create a permanent control-system center for collecting, analyzing, sharing and responding to cybersecurity threat information.

Yoran said the control center and a related testing facility will be used to protect the computer and network systems that control the nation's critical infrastructure, which includes power grids, dams and water filtration systems.

Putnman's committee also heard testimony from Robert Dacey, director of information security issues at the General Accounting Office, Dawn Meyerriecks, chief technology officer at the Defense Information Systems Agency, and Daniel Mehan, assistant administrator for information services and chief information officer at the Federal Aviation Administration.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.