Agencies make security improvements

OMB fiscal 2002 GISRA reporting guidance

The government has made "substantial" progress in information security since last year, but the same measurements that identify improvement also highlight that there is a long way to go, testified Mark Forman, associate director for information technology and e-government at the Office of Management and Budget, at a House hearing April 8.

The final report to Congress under the Government Information Security Reform Act (GISRA) of 2000 is in its final draft and will soon be released. It includes the second year of performance metrics in many security areas, and the improvement in those areas is significant, Forman told the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee.

Some of those metrics are:

* In fiscal 2001, only 40 percent of federal systems had the required up-to-date security plans. In fiscal 2002, that increased to 61 percent.

* Only 27 percent of federal systems underwent security certification and accreditation in fiscal 2001, compared to 47 percent in fiscal 2002.

* The percentage of systems that had gone through risk assessments increased from 44 percent in fiscal 2001 to 64 percent in fiscal 2002.

But the numbers are still far from where they should be, Forman said. This fiscal year, OMB has already set a goal to have 80 percent of federal systems be certified and accredited. Other goals are even higher and OMB and Congress must continue to put pressure on agencies as the government transitions to the Federal Information Security Management Act of 2002, which permanently reauthorizes GISRA, he said.

"Oversight of progress has been and will continue to be very important to this," Forman said.

There are some concerns that governmentwide security management is suffering under the organizational changes made with the Homeland Security Department's creation, particularly when it comes to coordination and resources.

But agency IT officials have found that OMB's attention through the GISRA reports has raised agency executives' awareness, which has in turn significantly helped the IT officials implement necessary policy and technology changes.

In the past year, the Commerce Department managed to raise its security procedures on many of the criteria included in OMB's GISRA reporting guidance, said Tom Pyke, chief information officer at the department.

Right now, 96 percent of Commerce's systems have gone through risk assessments, 90 percent have contingency plans in place, 92 percent have undergone certification and accreditation, and 98 percent have an up-to-date security plan, he said.

Commerce has also created a departmentwide database of needed corrective actions and has already addressed 74 percent of those issues identified for fiscal 2003, he said.