[ISN] Agencies make security improvements

From: InfoSec News (isnat_private)
Date: Thu Apr 10 2003 - 23:34:49 PDT

  • Next message: InfoSec News: "Re: [ISN] Feds Falling Short on Cybersecurity"

    http://www.fcw.com/fcw/articles/2003/0407/web-gisra-04-10-03.asp
    
    By Diane Frank 
    April 10, 2003
    
    The government has made "substantial" progress in information security
    since last year, but the same measurements that identify improvement
    also highlight that there is a long way to go, testified Mark Forman,
    associate director for information technology and e-government at the
    Office of Management and Budget, at a House hearing April 8.
    
    The final report to Congress under the Government Information Security
    Reform Act (GISRA) of 2000 is in its final draft and will soon be
    released. It includes the second year of performance metrics in many
    security areas, and the improvement in those areas is significant,
    Forman told the House Government Reform Committee's Technology,
    Information Policy, Intergovernmental Relations and the Census
    Subcommittee.
    
    Some of those metrics are:
    
    * In fiscal 2001, only 40 percent of federal systems had the required
      up-to-date security plans. In fiscal 2002, that increased to 61
      percent.
    
    * Only 27 percent of federal systems underwent security certification
      and accreditation in fiscal 2001, compared to 47 percent in fiscal
      2002.
    
    * The percentage of systems that had gone through risk assessments
      increased from 44 percent in fiscal 2001 to 64 percent in fiscal
      2002.
    
    But the numbers are still far from where they should be, Forman said.  
    This fiscal year, OMB has already set a goal to have 80 percent of
    federal systems be certified and accredited. Other goals are even
    higher and OMB and Congress must continue to put pressure on agencies
    as the government transitions to the Federal Information Security
    Management Act of 2002, which permanently reauthorizes GISRA, he said.
    
    "Oversight of progress has been and will continue to be very important
    to this," Forman said.
    
    There are some concerns that governmentwide security management is
    suffering under the organizational changes made with the Homeland
    Security Department's creation, particularly when it comes to
    coordination and resources.
    
    But agency IT officials have found that OMB's attention through the
    GISRA reports has raised agency executives' awareness, which has in
    turn significantly helped the IT officials implement necessary policy
    and technology changes.
    
    In the past year, the Commerce Department managed to raise its
    security procedures on many of the criteria included in OMB's GISRA
    reporting guidance, said Tom Pyke, chief information officer at the
    department.
    
    Right now, 96 percent of Commerce's systems have gone through risk
    assessments, 90 percent have contingency plans in place, 92 percent
    have undergone certification and accreditation, and 98 percent have an
    up-to-date security plan, he said.
    
    Commerce has also created a departmentwide database of needed
    corrective actions and has already addressed 74 percent of those
    issues identified for fiscal 2003, he said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Apr 11 2003 - 02:16:27 PDT