[ISN] OMB: IT systems security at highest level in three years

InfoSec News isn at c4i.org
Fri Mar 4 05:09:56 EST 2005 

http://www.gcn.com/vol1_no1/daily-updates/35225-1.html

By Jason Miller 
GCN Staff
03/03/05 

On the heels of another poor showing in the annual congressional 
cybersecurity report card, the Office of Management and Budget earlier 
this week touted agency systems' security as being stronger than ever. 

In the fiscal 2004 Federal Information Security Management Act report 
sent to Congress, the administration said 77 percent of 8,623 systems 
were certified and accredited as safe, and agencies tested their 
management, operation and technical controls of 76 percent of their 
applications. 

These are improvements from the 2003 report, where agencies reported 
62 percent of 7,998 systems as secure and found 64 percent had tested 
their security controls. 

Even with this progress, agencies still have not met OMB's goal of 
securing 80 percent of all systems. Last December, the administration 
upped the ante and required 90 percent of all systems certified and 
accredited by Sept. 30. 

"The federal government has made significant progress in identifying 
and addressing its security weaknesses," OMB said in the report. 
“However, uneven implementation of security measures across the 
federal government leaves vulnerabilities to be corrected.” 

The House Committee on Government Reform gave governmentwide 
cybersecurity a D grade in its annual report card released last month 
[see GCN story]. [1]

OMB also found agencies made progress in other security-related areas. 
For instance, 85 percent of agencies met OMB's goal of building 
security costs into the overall price of the project, and tested 
contingency plans for 57 percent of all applications. 

The administration said agencies need to improve their agencywide 
plans of action and milestones to improve security weaknesses and 
continue to develop their certification and accreditation processes. 

The departments of Defense, Health and Human Services, Homeland 
Security, Housing and Urban Development and the Small Business 
Administration did not have plans of actions and milestones approved 
by their respective inspectors general. 

The IGs of the departments of Commerce, Defense, Education, HHS, DHS, 
HUD and NASA also said the certification and accreditation processes 
were poor. 

According to OMB, agencies need to improve their accuracy, timeliness 
and completeness of cybersecurity incident reports filed with DHS. In 
2004, agencies reported 2,058 attacks to DHS’ incident response 
center. 

"Less than full reporting hampers the government's ability to know 
whether an incident is isolated at one agency or is part of a larger 
event, e.g., the widespread propagation of an Internet worm, and thus 
complicates and delays appropriate response such as distributing 
security patches or other compensating controls," OMB noted. 

DHS is piloting software for automatic transmittal of incident data 
from agency systems. The application should improve the government’s 
ability to protect systems and respond to attacks, OMB said. 

[1] http://www.gcn.com/24_4/news/35141-1.html

More information about the ISN mailing list