Federal agencies have made considerable progress in discovering and tackling deep-rooted and serious IT security problems, the White House told Congress in a 131-page report issued by the Office of Management and Budget. Despite hard work by agencies to overcome these problems through painstaking security reviews during the past year, OMB said, much work remains. Though progress has been made, the report cautioned that more threats and vulnerabilities also have materialized.
In fiscal year 2001, OMB established a baseline for agency IT security performance. Against that baseline, OMB determined that the agencies showed significant progress during fiscal 2002 in overcoming IT security concerns. "For example," the report said, there were "increases in the percentage of systems with security plans and the percentage of systems certified and accredited."
In 2001, only 40% of 7,411 government IT systems had an up-to-date security plan; last year, 62% of the 7,957 systems reviewed had such plans. Similarly, in 2001, only 30% of the IT systems had contingency plans versus 55% in 2002.
In an OMB report to Congress a year ago, the White House office noted six common governmentwide IT security weaknesses in 2001:
- Lack of agency senior management attention to IT security
- Nonexistent IT security performance measures
- Poor security education and awareness
- Failure to fully fund and integrate security into capital planning and investment-control process
- Failure to ensure that contractor services are adequately secure
- Lack of detecting, reporting, and sharing information on vulnerabilities.
A year later, OMB reported, progress is clearly evident across these six areas. While additional efforts are still warranted, the federal government is heading in the right direction, OMB said.
In the last fiscal year, of the $48 billion allotted for IT, about $2.7 billion was spent on security. OMB estimates the government will spend $4.2 billion on IT security in the current fiscal year, which ends Sept. 30, and $4.7 billion will be spent in fiscal 2004. Spending more on IT security doesn't always improve IT security performance, OMB said. Rather, the report said, the key is effectively incorporating IT security in project and agency management actions.
To that end, OMB administers and implements agency remediation efforts through traditional management and budget processes that hold agencies, including CIOs and agency program officials, answerable for the security of the information and systems that support their programs. Specifically, OMB gauges and tracks progress through annual agency IT security reports, IT budget filings, and the president's management agenda using an E-government scorecard, quarterly reports from agencies on their plans of action and milestones progress, and quarterly updates from agencies on their progress against IT security performance measures.
In its report to Congress, OMB addressed three milestones for the coming year to overcome governmentwide IT security weaknesses:
- All agencies must establish and maintain an agencywide process for developing and implementing program and system-level plans. Their plans of action and milestones must serve as agencies' authoritative management tools, to ensure that they fix program and system-level IT security weaknesses. By Sept. 30, the White House is requiring all agencies to create a process to ensure that program and system-level IT security weaknesses, once identified, are tracked and corrected.
- Many agencies find themselves faced with the same security weaknesses year after year--such as systems that lack security plans that haven't been certified and accredited. OMB said it will continue to help agencies prioritize and reallocate money to address these problems. President Bush's budget set a goal that by year's end 80% of federal IT systems will be certified and accredited.
- Significant problems remain, particularly in guaranteeing security of legacy systems. By year's end, the administration hopes that 80% of the government's major IT investments will appropriately integrate security into the life cycle of the investment.