Focus turned on security officials

OMB GISRA reporting guidelines

Updated guidance for agencies' annual reports on information security management capabilities includes a new focus on performance measures for officials who are accountable for systems security.

The Office of Management and Budget's new guidance, released July 2, builds on baseline created from the first reports submitted last year under the Government Information Security Reform Act (GISRA) of 2000. That law requires federal chief information officers and inspectors general to perform annual evaluations of agency information security practices and report the results to OMB, which will then provide a summary to Congress.

OMB submitted the fiscal 2001 report to Congress in February.

Last year, OMB officials asked agencies to identify the performance measures they used to evaluate officials. But according to the guidance, most agencies did not provide this information, and many requested that OMB develop such measures.

So this year, to highlight the importance of information security to program managers, OMB is requiring the agency and IG reports to include an evaluation of agency officials' performance against a set of high-level management measures defined by OMB in the reporting guidance.

"The OMB-provided performance measures represent a minimum required response and must be completed," according to the guidance.

These performance measures range from the percentage of systems that have an up-to-date security plan to the number of employees that received specialized security training.

Last year's guidance also included requirements for agencies to create "plans of action and milestones," which outline how officials planned to fix the vulnerabilities discovered in the evaluations. Those plans were incorporated into the fiscal 2003 budget request, and future plans will continue to be part of the budget-development process, according to the guidance.

This year the action plans will also be included in OMB's report to Congress.

The evaluation of agencies' security capabilities is also now part of the President's Management Agenda scorecard, under the e-government section. Agencies will be assessed on their information security management progress at both the departmentwide level and at the bureau, agency or office level.

"This step will further reinforce the roles and responsibilities of agency program officials...for the security of systems that support their programs and the agency chief information officer for the systems and the agencywide security program," the guidance states.

GISRA expires on Nov. 29, 2002, but there are several efforts in Congress to extend its authority, most notably the Federal Information Security Management Act, introduced by Rep. Tom Davis (R-Va.).