Evans: No big changes in security guidance

Karen Evans, the Office of Management and Budget’s administrator for e-government and information technology, testified today that she has no plans for making major revisions to OMB's information security policy guidance, despite some lawmakers' questions about its effectiveness.

But Evans said she would be willing to consider additions or changes that would make annual security evaluations more consistent among federal agencies. The evaluations are required under the Federal Information Security Management Act of 2002, which OMB administers.

Rep. Tom Davis (R-Va.), who conducted today's congressional hearing, questioned the quality of OMB's guidance and whether a standard auditing approach is necessary in light of the federal government's D-plus grade on information security.

Members of Davis' Government Reform Committee are considering whether agency inspectors general who conduct security evaluations might have a need for information security audit standards, similar to those used for auditing financial management systems.

Because federal IGs have different levels of resources and expertise, any new standards that would support greater consistency would be something that OMB could support, Evans said.

Davis later wanted to know if the Homeland Security Department has unique problems that make it especially difficult for DHS to get a good security grade. DHS is responsible for the nation’s cybersecurity but has received an F on its own security report card two years in a row.

"What’s holding them up?" Davis asked Steve Cooper, the department's CIO.

Cooper responded that the department has procedures in place that will enable it to earn a respectable grade by 2006.

Davis thanked Cooper for his efforts at DHS. Cooper is leaving the top CIO position at DHS later this month.