[ISN] OMB: Agencies make headway with IT security

From: InfoSec News (alerts@private)
Date: Sun Mar 04 2007 - 22:11:52 PST


By Jason Miller
March 2, 2007

The state of the governments cybersecurity position has improved over 
the past year, but significant holes remain, especially in the areas of 
categorizing the risk level of systems and training, according to the 
Office of Management and Budget.

OMB found that more than 700 systems, including 397 managed by agencies, 
had not been categorized as high, medium or low risk. Also, the 
administration said more agency employees have received information 
technology security training up 10 percent since last year but more 
needs to be done.

In its fourth annual Federal Information Security Management Act report 
sent to Congress March 1, OMB said it will rely on the Security Line of 
Business effort to better train employees by using a standard program. 
OMB named three shared-service centers for security training in 
February: the Office of Personnel Management, the State Department and 
the U.S. Agency for International Development, and the Defense 

Overall, OMB found that agencies have certified and accredited 89 
percent of the 10,595 federal systems. This is a 1 percent increase 
since last year on more than 300 systems that departments identified.

State and the Homeland Security Department made the most progress, while 
four agencies which the report does not name did not characterize the 
risk of a significant number of systems, OMB said.

This suggests these agencies are not prioritizing their systems and 
working to secure the systems presenting the highest-risk impact level, 
nor do they know at what level to secure those systems not categorized, 
the report states. OMB intends to follow up individually with these 

The report also said agencies also made progress in testing their 
security controls and contingency plans. OMB found that 88 percent of 
all systems had their security controls tested, while 77 percent of them 
had their contingency plans tested. This is up from 61 percent and 72 
percent, respectively, last year.

DOD increased its system testing by more than 30 percent last year, OMB 

Agencies also are paying more attention to systems managed by 
contractors. OMB said 18 of 24 agencies said they either frequently, 
mostly, or almost always have sustained oversight of contractor-run 

Beyond securing their systems, agencies also recorded a large increase 
in the number of security incidents reported to the U.S. Computer 
Emergency Response Team (CERT).

Agencies reported 706 unauthorized accesses, up from 304 in 2005. OMB 
credits most of the increase to the focus on reporting lost or stolen 
computers and other hardware containing personal identifiable 

Privileged or root system access accounted for 25 percent of 
unauthorized access incidents, more than double that of non-privileged 
access, the report states.

Meanwhile, denial-of-service attacks increased by six in 2006 to 37, 
while incidents involving malicious code dropped to 1,465 from 1,806 in 

The reason for this is probably two-fold no major virus outbreaks of 
note in fiscal year 2006, and improvements in patching systems in a 
timely manner prevent vulnerabilities from being exploited, the report 

OMB did say that the number of incidents being investigated increased by 
11 times. Officials credit the increased use of intensive analysis of 
suspicious traffic under the Einstein program, run by CERT.

Over the next year, OMB will work with federal agencies to increase the 
exchange of packet level information regarding incidents, which have 
penetrated an agencys perimeter, the report states. Sharing this data 
will enable more effective analysis of attacks targeting multiple 
federal agencies, and may enable more timely responses to new threats.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Sun Mar 04 2007 - 22:32:21 PST