[ISN] Further security guidance given

From: InfoSec News (isnat_private)
Date: Wed Oct 24 2001 - 00:16:38 PDT

  • Next message: InfoSec News: "[ISN] Bigger Role Seen for Defense R&D"

    http://www.fcw.com/fcw/articles/2001/1022/web-gisra-10-23-01.asp
    
    By Diane Frank 
    Oct. 23, 2001
    
    The Office of Management and Budget last week released additional
    guidance on how agencies must comply with a new law that pulls all of
    the federal information security mandates together and calls for
    reports that the administration and Congress will review.
    
    Under the Government Information Security Reform Act of 2000, agencies
    must undergo annual self-assessments and independent assessments of
    their security practices and policies. Agencies sent OMB the first set
    of reports on the results in September.
    
    By Oct. 31, agencies must turn in plans of action and milestones on
    how they plan to fix the weaknesses found in those assessments and
    indicate the resources and timeframe for those corrections. The new
    OMB guidance provides detailed instructions on what information must
    be included in the reports, the format, how they will be tied to the
    budget process, and what to include in the quarterly updates to
    follow. The first update is due Jan. 31, 2002.
    
    The plans must either be consolidated with or accompanied by other
    agency plans to correct security weaknesses found in other reviews,
    providing a better view for agency heads, OMB and Congress.
    
    "A consolidated [plan] provides a road map for continuous agency
    security improvement, assists with prioritizing corrective action and
    resource allocation, and is a valuable management and oversight tool,"
    according to the guidance.
    
    The guidance is based on questions provided by agencies after OMB
    released its instructions for the assessment reports in June. It is
    presented in a question and answer format, with a sample plan that
    outlines the eight categories of information agencies must provide:
    
    * The type of weakness.
    
    * The responsible office or organization.
    
    * Estimated funding and resources required.
    
    * The scheduled final completion date.
    
    * Key milestones and completion dates.
    
    * Milestone changes.
    
    * The review that found the weakness.
    
    * The plan's status (ongoing or completed).
    
    Agencies should turn over the initial plan to OMB on a diskette as a
    Microsoft Corp. Excel worksheet. OMB is not requiring a specific
    format for the status updates.
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 01:44:17 PDT