OMB: Security FirstOMB: Security First

Federal departments and agencies are making strides in improving the management of information security, but more work is needed, the White House told Congress on Wednesday.

Agencies won't be able to spend money sought to modernize their IT systems until they show improvement in information-security management, the Office of Management and Budget says. In fact, OMB says, the agencies should use money sought for new IT development to improve information-security management if additional resources are needed to resolve weaknesses.

In its annual Federal Government Information Security Management report to Congress, OMB says fewer than two-thirds of federal IT systems had been accredited by Dec. 31, falling far short of its goal of 80%. Still, that was an improvement over 2002, when only 47% were certified.

By this past Dec. 31, the government hoped to have had 80% of major IT investments appropriately integrate security into their life cycles. That goal was nearly achieved, with 78% of federal IT systems planned and budgeted for IT security requirements as part of the overall development or maintenance of systems, up from 60% a year earlier. Still, OMB says, significant problems remain, particularly in ensuring security of existing systems.

The government also set a goal that by last Dec. 31, all agencies would have created a central remediation process to ensure that program-level and system-level IT security weaknesses, once identified, were tracked and corrected. While each agency does have an IT-security-remediation process, OMB says, the maturity of those processes varies greatly. Out of the 24 agencies, only half have a remediation process verified by their inspectors general as meeting the necessary criteria.

OMB notes significant increases in the percentage of systems with security plans and the number of systems certified and accredited in fiscal 2003, which ended Sept. 30. Yet, OMB says, many federal systems lack appropriate contingency plans to ensure continuity of operations. Another continuing area of concern: low governmentwide percentage of systems with tested contingency plans.

Federal CIOs need help making sure money is spent properly to assure appropriate information security management, OMB says. "Even though awareness of IT security requirements and responsibilities has spread beyond security and IT employees, more agency program officials must engage and be held accountable for ensuring that the systems that support their programs and operations are secure," the report states. "Ensuring the security of most agency information and systems is not the responsibility of the agency CIO. The majority of IT spending within agencies is not on IT infrastructure and networks, traditionally owned and operated by CIOs, but rather on mission IT investments. In fact, historically, over 65% of agency IT investments are normally mission-IT related. It is within these systems that many weaknesses recur."