May 28, 2003 (11:05 AM EDT)
Government Agencies Making Progress On IT Security
Read the Original Article at InformationWeek
Federal agencies have made considerable progress in discovering and tackling deep-rooted and serious IT security problems, the White House told Congress in a 131-page report issued by the Office of Management and Budget. Despite hard work by agencies to overcome these problems through painstaking security reviews during the past year, OMB said, much work remains. Though progress has been made, the report cautioned that more threats and vulnerabilities also have materialized.
In fiscal year 2001, OMB established a baseline for agency IT security performance. Against that baseline, OMB determined that the agencies showed significant progress during fiscal 2002 in overcoming IT security concerns. "For example," the report said, there were "increases in the percentage of systems with security plans and the percentage of systems certified and accredited."
In 2001, only 40% of 7,411 government IT systems had an up-to-date security plan; last year, 62% of the 7,957 systems reviewed had such plans. Similarly, in 2001, only 30% of the IT systems had contingency plans versus 55% in 2002.
In an OMB report to Congress a year ago, the White House office noted six common governmentwide IT security weaknesses in 2001:
A year later, OMB reported, progress is clearly evident across these six areas. While additional efforts are still warranted, the federal government is heading in the right direction, OMB said.
In the last fiscal year, of the $48 billion allotted for IT, about $2.7 billion was spent on security. OMB estimates the government will spend $4.2 billion on IT security in the current fiscal year, which ends Sept. 30, and $4.7 billion will be spent in fiscal 2004. Spending more on IT security doesn't always improve IT security performance, OMB said. Rather, the report said, the key is effectively incorporating IT security in project and agency management actions.
To that end, OMB administers and implements agency remediation efforts through traditional management and budget processes that hold agencies, including CIOs and agency program officials, answerable for the security of the information and systems that support their programs. Specifically, OMB gauges and tracks progress through annual agency IT security reports, IT budget filings, and the president's management agenda using an E-government scorecard, quarterly reports from agencies on their plans of action and milestones progress, and quarterly updates from agencies on their progress against IT security performance measures.
In its report to Congress, OMB addressed three milestones for the coming year to overcome governmentwide IT security weaknesses: