Jun 24, 2003 (02:06 PM EDT)
Federal Government Has A Ways To Go To Secure Systems

Read the Original Article at InformationWeek

Since January, the State Department has wiped out more than 155,000 viruses on its IT systems. Between Oct. 1 and May 31, the first eight months of fiscal year 2003, the department recorded more than 700 attempts to hack its IT systems.

Those are just two examples of the vulnerabilities the government's thousands of IT systems face. At a hearing before a House panel Tuesday, government IT experts testified that progress in securing systems is being made, but at a slower pace than many had hoped.

"While some progress is clearly being made at federal agencies, going from an F to a D or D to a C isn't saying much," Rep. Adam Putnam, R-Fla., chairman of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, said in opening remarks at an oversight hearing on cybersecurity. Putnam said Congress, the Bush administration, and agencies must work together to provide a relative degree of comfort that IT systems are secure. "We are a long way from that point today."

Putnam's lament was backed up by a report from the General Accounting Office, the investigative arm of Congress, that showed significant challenges remain in implementing information security requirements. For instance, eight of 24 agencies reported that they hadn't assessed security risks for half of their IT systems.

Robert Dacey, GAO director of information security issues, said various agencies inspectors general have noted that even when agencies develop plans to correct security problems, their usefulness is limited because they don't identify all weaknesses, provide realistic completion estimates, or prioritize actions. Nine of 14 agency inspectors general surveyed by GAO said their organizations' corrective action plans failed to identify significant cybersecurity weaknesses. "Overall, agencies aren't effectively implementing and managing their information security programs," he testified.

Treasury Department CIO Drew Ladner conceded that it's slow going. A review required by the Government Information Security Reform Act revealed 14 major weaknesses. "Central to the IT security material weaknesses is that the department hasn't yet achieved the goal of full certification and accreditation of mission-critical systems and major applications," Ladner said. "In addition, specialized IT security training and incorporation of security into the capital investment planning process needs improvement."

What's Treasury doing to correct the situation? First, Ladner said, it's implementing an aggressive oversight and compliance program in which each bureau evaluates security policy and guidance, computer incident handling and response, security training, managing plan of actions and milestones, integrating security into capital planning, and getting systems certified and accredited.

Funding isn't a problem. The State Department, for instance, spends more than $1 in $5 of its IT budget on IT security. Acting State Department CIO Bruce Morrison testified that the flagship of its new cybersecurity efforts is a program to certify and accredit all of its 150 IT systems by September 2004, adding that one-third of the systems should be accredited by Sept. 30.

Legislation requiring government organizations to get their IT security in order has resulted in top agency officials buying into the plan. That's seen as progress by some officials. "The most positive impact has resulted from the laws' requirements to view the agency's IT security posture as a whole, rather than as separate parts," said National Aeronautics and Space Administration inspector general Robert Cobb. "The legislation and related [Office of Management and Budget] guidance have provided NASA with a framework for more effectively managing IT security. As a result, NASA senior management is increasing the attention given to IT security."

But Cobb cautioned that NASA must change its decentralized culture--in which power is often found within agency centers--by attacking IT security centrally through its OneNASA concept. If implemented correctly, he said, centralization and a revised architecture will improve the agency's information-security posture. "However, as long as NASA governance structure is such that center CIOs and security officials report to center directors--who are program officials--rather than to the NASA CIO and the agency's assistant administrator for security management and safeguards, a fully integrated approach to information security will be impossible at NASA."

OMB E-government and IT administrator Mark Forman, the federal government's top IT officer, reminded the committee that agencies must develop security plans and get their systems certified and accredited if they want to receive money to fund IT programs. In the coming fiscal year, Forman said, nearly 500 government IT systems have been deemed at risk either solely or in part due to IT security weaknesses because they haven't been properly certified or accredited. By fiscal year 2004, which begins Oct. 1, the administration plans for 80% of the federal government's major IT investments to integrate security into the life cycle of the investment. That's a big challenge, Forman said. "Failure to appropriately incorporate security in new and existing IT investments automatically requires the business case to be scored as 'at-risk,'" he said. "As a result, that system isn't approved for the fiscal year in which the funds were requested until the security weaknesses are addressed."