[ISN] Guidance drafted on security reports

From: InfoSec News (isnat_private)
Date: Thu Apr 19 2001 - 23:48:17 PDT

  • Next message: InfoSec News: "[ISN] Exploit devastates WinNT/2K security"

    BY Diane Frank
    The Office of Management and Budget is circulating draft guidance on
    what agencies should include in the annual reports they must produce
    under the Government Information Security Reform Act.
    The act, passed in October 2000 as part of the fiscal 2001 Defense
    Authorization Act, is intended to foster good security practices
    within civilian and national security agencies. It requires chief
    information officers and inspectors general to perform vulnerability
    assessments on their agencies security programs and practices.
    OMB issued general guidance in January on the approach that agency
    program managers and IGs should take on the assessments. But now, OMB
    is providing a draft of guidance that details exactly what information
    should be included in the reports. In the draft guidance, which is not
    available online, OMB asks agencies for:
    * An executive summary from the agency head on how the agency is
      implementing GISRA. The summary should combine information from the
      agency CIO and the agency IG, and it will form the basis of OMBs
      summary to Congress.
    * Details about the agencies annual program reviews and
      evaluations. Agencies will provide details on every program and
      system by answering 11 questions that range from identifying funding
      to describing the performance measures used by program managers and
    Agencies reports on their security evaluations are due to OMB by
    September. OMB will compile the reports and submit a governmentwide
    report to Congress. Congress in turn will use the reports to determine
    whether an agency is adequately protecting the systems that support
    its services to employees and citizens.
    By Oct. 30, agencies must report to OMB the strategies, milestones and
    obstacles involved in addressing any security weaknesses found in the
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 03:45:38 PDT